Yes — Glucobit Inc., the company behind the Reframe alcohol-reduction app, disclosed a data breach affecting users who uploaded personal information through the platform. This incident is part of our California AG June 30, 2026 breach roundup.
According to Claim Depot’s breach summary, Glucobit discovered unauthorized access to a single internal system, stopped the activity, and engaged cybersecurity experts. The incident was reported to the California Attorney General on June 30, 2026, with a listed breach date of May 1, 2026.
We scanned glucobit.com and joinreframeapp.com to assess email and domain security posture relevant to post-breach impersonation risk.
What Happened
According to Claim Depot and the California AG listing:
- May 1, 2026 — Unauthorized party accessed a Glucobit system and downloaded user-uploaded personal information.
- June 30, 2026 — Glucobit filed with the California Attorney General and began notifying affected users by email.
Glucobit states the incident did not compromise passwords, payment card data, home addresses, Social Security numbers, or government ID numbers — the company says it does not collect those fields. Notification letters describe the specific data types exposed to each individual.
Breach Impact at a Glance
| Field | Detail |
|---|---|
| Organization | Glucobit Inc. (Reframe app) |
| Sector | Mobile health / wellness |
| Breach date (CA AG) | May 1, 2026 |
| CA AG reported | June 30, 2026 |
| Attack vector | Unauthorized system access (single system) |
| Data copied | User-uploaded personal information via Reframe |
| Payment / SSN exposure | Company says not collected — not involved |
| Notification | Email to affected users (June 30, 2026) |
Data at Risk
Because Reframe is a platform where users document alcohol use and recovery journeys, downloaded files may include highly sensitive personal narratives beyond routine contact data — even when financial identifiers were not stored.
Affected categories communicated in individual letters may include:
- Names and contact details (email, phone)
- Dates of birth (if provided)
- User-generated recovery content uploaded through the app

Why California Reporting Matters
California’s breach list does not publish resident counts, but any organization notifying California residents must file with the AG. Glucobit was among four notices added on June 30, 2026 — alongside Kubota, Monmouth University, and NLACRC.
Independent Cybersecurity Audit
We ran an EmailMeNow Cybersecurity Audit on July 6, 2026:
| Domain | Overall | Identity | Transport | Website | Risk |
|---|---|---|---|---|---|
| joinreframeapp.com | 48% | 35% | 15% | 45% | Below Average |
| glucobit.com | 51% | 50% | 15% | 45% | Average |
Key findings:
- 48–51% overall — both domains sit well below the 100% ideal recommended for apps handling sensitive user-generated health content.
- 15% Transport Security on both domains — no effective MTA-STS enforcement or TLS-RPT reporting.
- 35–50% Identity & Spoofing — partial DMARC posture; insufficient to reliably block spoofed breach-notification or account-recovery phishing after user emails are exposed.
- joinreframeapp.com routes through Microsoft 365 / Exchange (100% email infrastructure); glucobit.com shows weaker hosted-mail configuration (30% email infrastructure).

Weak email identity controls do not cause an app-server breach by themselves, but they amplify harm when attackers already hold user contact data and recovery-related content.
Audit links:
Priority Actions
If you received a Reframe notification:
- Enroll in any official remediation offered only through instructions in your email — not links from unsolicited messages.
- Watch for targeted phishing referencing your recovery journey or app content.
- Review app privacy settings and consider what personal narratives remain stored online.
For mobile health and wellness apps:
- Enforce phishing-resistant MFA on admin, support, and cloud infrastructure accounts.
- Deploy DMARC
p=rejecton every customer-facing domain before the next incident. - Add MTA-STS
mode=enforceand TLS-RPT; segment user-upload storage from corporate email. - Minimize sensitive free-text collection; encrypt data at rest and log bulk exports.
Related Trackers
- California AG June 30 roundup
- California AG breach tracker
- Healthcare AG breach tracker
- Breach monitoring guide
- All state AG trackers
Protect user data and notification integrity.
Run a free Instant Cybersecurity Audit at audit.emailmenow.com or contact EmailMeNow IT Consulting for DMARC enforcement, MTA-STS deployment, and incident response planning.
Sources: California AG — Data Breach List · Claim Depot — Reframe / Glucobit breach · EmailMeNow audit — joinreframeapp.com · EmailMeNow audit — glucobit.com