
Is Cal AI safe? What the reported 2026 breach means for food-tracking privacy
In 2026, a hacker on a data-leak forum claimed to have pulled more than 3.2 million user records from Cal AI, the viral photo calorie-counting app. According to reporting by security outlets including Cybernews — whose researchers reviewed a sample of the data and said it appeared legitimate — the records allegedly included full names, dates of birth, email addresses, height and weight, subscription details, and timestamped meal logs. Cal AI has not publicly confirmed the breach, so it remains an alleged incident — but the reporting raises questions every food-tracking user should ask.
The reported attack vector matters more than the headline number. Researchers described an unauthenticated backend database that could be read without credentials, and app logins protected by 4-digit numeric PINs without rate limiting. If accurate, that isn’t a sophisticated hack — it’s a door left open. And in the same year, Cal AI was acquired by MyFitnessPal, which means data practices and policies may change again under new ownership.
Why does this matter so much for a calorie app? Because a food diary is more intimate than it sounds. Meal logs with timestamps reveal your daily routine, when you’re home, whether you’re dieting, and how your weight is trending. Combined with a name, birth date, and email, that’s a detailed health-and-lifestyle profile — the kind of data that deserves the same protection as medical records, and rarely gets it.
Whatever tracker you use — including ours — here are the questions worth asking. Can the company read your food diary, and does it sell or share it? Can you export your data and delete it completely? Is the backend actually locked down, or just the app? Does the privacy policy survive an acquisition? If an app’s answers are vague, assume the worst: the food-tracking category is full of fast-growing apps where security came second to growth.
For the record, here is where Bitewise stands. Your food diary is private by default and it is yours alone: we don’t sell it, we don’t share it, and you can export or delete everything at any time. We built Bitewise around whole foods and honest weekly trends rather than engagement mechanics, and we treat the data the same way — collect the minimum, and give you the exit. Bitewise is in early access; if you have privacy questions we haven’t answered here, email us and we’ll answer them directly.
← Back to the blog