Maine Shuts Down Breach Portal After Fake Discord, VRChat Filings

Key Takeaways

• Maine disabled its public breach notification portal after fraudulent filings impersonating Discord and VRChat were discovered
• The portal auto-published submissions without verification, allowing anyone to post fake breach disclosures to a government website
• Companies can still submit breach notifications, but public access to the database requires contacting the Attorney General's Office directly

What Happened

Maine's Attorney General Office has temporarily shut down public access to its data breach notification database. The reason: someone submitted fake breach disclosures impersonating Discord and VRChat, and the system published them automatically to the state's official website.

The fraudulent VRChat filing claimed a breach affecting 2.4 million users. A similar fake filing claimed Discord had been breached, affecting 10 million users. Neither breach actually occurred.

BleepingComputer first reported the fake disclosures on June 11. When contacted, VRChat confirmed the filing was fraudulent and had been submitted using the name of a fictitious employee. Discord did not respond to requests for comment.

The Core Problem: No Verification

The Maine portal was designed for transparency. Companies experiencing data breaches are required to notify affected consumers and state authorities. Maine's system made these disclosures publicly accessible, which journalists, researchers, and threat intelligence firms used to track security incidents.

But the system had a critical flaw: submissions were published directly to the public database without verification. Anyone could submit a filing claiming to represent any company.

“We don't have any independent knowledge of the breaches, the submitting entity fills out the information and it goes directly onto the site.”

— Maine Attorney General's Office, statement to BleepingComputer

This design treated government credibility as inherent rather than earned. A filing on a .gov domain carries implicit authority. Researchers and journalists monitoring the portal would have no reason to doubt a disclosure's authenticity until contacting the company directly.

The State's Response

In a statement published Friday, the Maine Attorney General's Office acknowledged the "hoaxes" and said it has removed the fake reports from the database.

"The Office of the Maine Attorney General has been made aware of an apparent abuse of our data breach reporting system," the statement reads. "After conversations with VRChat, one of two affected companies, it has become clear that the reported data breaches were hoaxes submitted by an unknown entity unrelated to either company."

The office confirmed it has no knowledge of any recent legitimate data breach reports from either VRChat or Discord.

Going forward, companies can still submit breach notifications through the reporting service. But members of the public who want copies of disclosures must now contact the Attorney General's Office directly. The state says it is reviewing its procedures to prevent similar abuse.

Why This Matters

This incident demonstrates a growing attack vector: weaponizing government credibility. Automated systems that publish to official domains without verification become tools for misinformation.

The damage potential is significant. A fake breach disclosure on a government website could tank a company's stock price before anyone verifies the claim. It could trigger regulatory scrutiny, media coverage, and customer panic. The company would need to prove a negative, a notoriously difficult task.

On Hacker News, commenters criticized the lack of basic authentication. Requiring a corporate domain email or official documentation would have prevented this abuse. On Reddit's r/cybersecurity, users noted that automated government databases are increasingly targeted precisely because they carry inherent authority.

The fix seems obvious in hindsight: verify before publishing. But many government systems were built for a different threat model. They assumed bad actors would target the data, not the credibility of the platform itself.

What Comes Next

Maine has not announced what verification procedures it will implement. Options range from simple email confirmation from corporate domains to more rigorous identity verification.

The broader question is how many other state breach portals have similar vulnerabilities. Most states require breach notification, and many maintain public databases. If Maine's system could be abused this easily, others likely can too.

For companies, this is a reminder to monitor breach notification portals for filings made in their name. A fake disclosure could circulate for days before anyone notices.

Frequently Asked Questions

Was there actually a Discord or VRChat data breach?

No. Both filings were fraudulent. VRChat confirmed to BleepingComputer that its filing was fake and submitted by an unknown party using a fictitious employee name. The Maine AG's Office has removed both fake reports.

Can I still access Maine's data breach database?

Not directly. Maine has disabled public access while it reviews its procedures. If you need copies of breach disclosures, you must now contact the Attorney General's Office directly.

How did fake breach notices get published on a government website?

Maine's system automatically published submitted breach notifications without verification. Anyone could submit a filing claiming to represent any company, and it would appear on the state's official website.

Do other states have similar vulnerabilities in their breach portals?

Potentially. Most states require breach notification and many maintain public databases. The extent to which other states verify submissions before publishing is unclear.

What should companies do to protect themselves from fake breach filings?

Monitor state breach notification portals for filings made in your company's name. Set up alerts or periodically check major state databases to catch fraudulent disclosures early.

Source: BleepingComputer