Cal AI App, a mobile calorie and health tracking application, has allegedly been compromised, resulting in the exposure of data belonging to approximately 3 million subscribers. The incident, recently disclosed on a cybercrime forum, reportedly stems from severe security misconfigurations within the application’s infrastructure. The database dump was allegedly made possible because the app’s tables—including subscription data—could be accessed and read without authentication.
The allegedly compromised data is contained within a 14.59 GB database dump and includes highly sensitive personal, financial, and health-related information. According to the actor, the exposed data includes:
-
Email addresses (including approximately 1 million Apple Private Relay addresses)
-
First and last names (for approximately 300,000 users with configured social profiles)
-
Dates of birth
-
Genders
-
Height and weight metrics (including historical tracked weight over time)
-
Exercise goals and target metrics
-
Logged meals and specific eating habits (including times of day users eat)
-
Purchased subscriptions and App Store transaction IDs
-
Third-party integration metrics (Superwall, Klaviyo, AppsFlyer)
-
User referral code conversion information
