Back to news
Cybersecurity Alert
July 6, 2026 by EmailMeNow IT Consulting

Was Glucobit / Reframe Breached? We Scanned Their Domain Security

Glucobit Inc., maker of the Reframe alcohol-reduction app, reported a May 1, 2026 breach to the California AG on June 30. User-uploaded personal data was downloaded. Audits score joinreframeapp.com at 48% and glucobit.com at 51%.

Source: California Attorney General · Claim Depot

NewsData BreachCaliforniaMobile AppCybersecurity
Reframe alcohol reduction app data breach reported to California Attorney General

Yes — Glucobit Inc., the company behind the Reframe alcohol-reduction app, disclosed a data breach affecting users who uploaded personal information through the platform. This incident is part of our California AG June 30, 2026 breach roundup.

According to Claim Depot’s breach summary, Glucobit discovered unauthorized access to a single internal system, stopped the activity, and engaged cybersecurity experts. The incident was reported to the California Attorney General on June 30, 2026, with a listed breach date of May 1, 2026.

We scanned glucobit.com and joinreframeapp.com to assess email and domain security posture relevant to post-breach impersonation risk.

What Happened

According to Claim Depot and the California AG listing:

  • May 1, 2026 — Unauthorized party accessed a Glucobit system and downloaded user-uploaded personal information.
  • June 30, 2026 — Glucobit filed with the California Attorney General and began notifying affected users by email.

Glucobit states the incident did not compromise passwords, payment card data, home addresses, Social Security numbers, or government ID numbers — the company says it does not collect those fields. Notification letters describe the specific data types exposed to each individual.

Breach Impact at a Glance

FieldDetail
OrganizationGlucobit Inc. (Reframe app)
SectorMobile health / wellness
Breach date (CA AG)May 1, 2026
CA AG reportedJune 30, 2026
Attack vectorUnauthorized system access (single system)
Data copiedUser-uploaded personal information via Reframe
Payment / SSN exposureCompany says not collected — not involved
NotificationEmail to affected users (June 30, 2026)

Data at Risk

Because Reframe is a platform where users document alcohol use and recovery journeys, downloaded files may include highly sensitive personal narratives beyond routine contact data — even when financial identifiers were not stored.

Affected categories communicated in individual letters may include:

  • Names and contact details (email, phone)
  • Dates of birth (if provided)
  • User-generated recovery content uploaded through the app

Illustration: sensitive Reframe app user data and recovery journal content exposed in mobile health breach

Why California Reporting Matters

California’s breach list does not publish resident counts, but any organization notifying California residents must file with the AG. Glucobit was among four notices added on June 30, 2026 — alongside Kubota, Monmouth University, and NLACRC.

Independent Cybersecurity Audit

We ran an EmailMeNow Cybersecurity Audit on July 6, 2026:

DomainOverallIdentityTransportWebsiteRisk
joinreframeapp.com48%35%15%45%Below Average
glucobit.com51%50%15%45%Average

Key findings:

  • 48–51% overall — both domains sit well below the 100% ideal recommended for apps handling sensitive user-generated health content.
  • 15% Transport Security on both domains — no effective MTA-STS enforcement or TLS-RPT reporting.
  • 35–50% Identity & Spoofing — partial DMARC posture; insufficient to reliably block spoofed breach-notification or account-recovery phishing after user emails are exposed.
  • joinreframeapp.com routes through Microsoft 365 / Exchange (100% email infrastructure); glucobit.com shows weaker hosted-mail configuration (30% email infrastructure).

Illustration: joinreframeapp.com and glucobit.com email security audits showing identity and transport gaps

Weak email identity controls do not cause an app-server breach by themselves, but they amplify harm when attackers already hold user contact data and recovery-related content.

Audit links:

Priority Actions

If you received a Reframe notification:

  • Enroll in any official remediation offered only through instructions in your email — not links from unsolicited messages.
  • Watch for targeted phishing referencing your recovery journey or app content.
  • Review app privacy settings and consider what personal narratives remain stored online.

For mobile health and wellness apps:

  • Enforce phishing-resistant MFA on admin, support, and cloud infrastructure accounts.
  • Deploy DMARC p=reject on every customer-facing domain before the next incident.
  • Add MTA-STS mode=enforce and TLS-RPT; segment user-upload storage from corporate email.
  • Minimize sensitive free-text collection; encrypt data at rest and log bulk exports.

Protect user data and notification integrity.

Run a free Instant Cybersecurity Audit at audit.emailmenow.com or contact EmailMeNow IT Consulting for DMARC enforcement, MTA-STS deployment, and incident response planning.


Sources: California AG — Data Breach List · Claim Depot — Reframe / Glucobit breach · EmailMeNow audit — joinreframeapp.com · EmailMeNow audit — glucobit.com