Fake Data Breach Reports Posted to Maine's Official Portal

Key Takeaways

• Fraudulent breach notifications for VRChat and Discord were posted to Maine's official Attorney General portal before verification
• VRChat confirmed the filing was fake, submitted by a fictitious employee claiming 2.4 million users were affected
• Maine AG's office admitted anyone can submit breach notifications without identity verification

What Happened

Someone submitted fake data breach notifications to Maine's official Attorney General breach portal. The reports claimed that VRChat and Discord had suffered major security incidents. Maine posted these claims publicly before checking if they were real.

The most recent fake entry claimed VRChat had exposed personal data of more than 2.4 million users after hackers accessed the company's cloud environment. The filing included a detailed notification letter describing a supposed incident between May 10 and 12. It listed compromised data types including usernames, email addresses, subscription status, login history, device identifiers, IP addresses, and linked Steam or Meta user IDs.

The letter looked convincing. It described unauthorized access, forensic investigation results, security improvements, and steps users should take. But none of it was true.

VRChat Responds

Charles Tupper, Head of Community at VRChat, told BleepingComputer the notification was fraudulent. The employee named in the filing does not exist.

“VRChat did not submit this Notice of Data Incident, and the employee/email cited does not exist. We have no reason to believe that our data or systems have been compromised.”

— Charles Tupper, Head of Community, VRChat

Graham Gaylor, VRChat's CEO and co-founder, confirmed Tupper's statement. The company is working with Maine's Attorney General office to remove the fake entry.

VRChat is a multiplayer social virtual reality platform built on Unity, originally released in 2014 for Windows and Oculus Rift. The platform reached an all-time peak of 158,192 concurrent users in February 2026 and averages around 100,000 daily active users across VR, mobile, and PC.

Discord Also Targeted

Earlier the same week, another suspicious filing appeared on Maine's portal. This one claimed Discord had suffered a breach affecting 10 million people. Maine's Attorney General's Office confirmed to BleepingComputer that this entry was also suspect.

The Portal's Design Flaw

Maine's Attorney General's Office explained the core problem: anyone can submit a breach notification form and have it added to the public portal without verification.

The office told BleepingComputer it was "not aware of another example of intentional misrepresentation of the notice filings." The fake VRChat notice "will be coming down," they said.

The portal was designed for transparency. When companies suffer data breaches, state law often requires them to notify affected residents and the Attorney General. Making these filings public helps consumers know when their data may be at risk. But the system assumed good faith. It did not account for bad actors who might abuse it to spread false information.

Why This Matters

Fake breach notifications create real problems. Companies must scramble to deny claims and reassure customers. Users may panic, change passwords, or cancel accounts based on false information. Stock prices can move on breach news. Competitors or short sellers could exploit the vulnerability.

The incident also damages trust in official government transparency tools. If people can't trust that breach notifications on a state AG's website are real, the entire system loses credibility.

Discussion on Reddit's r/cybersecurity forum focused on the design flaw. Users expressed surprise that a government portal lacked basic identity or authorization checks before publishing claims that could damage companies' reputations.

What Comes Next

Maine will likely need to add verification steps. This could include requiring filings to come from verified company domains, adding manual review before publication, or implementing a delay between submission and public posting.

For companies, the incident is a reminder to monitor state breach portals for unauthorized filings using their name. A quick response can limit damage, but the fake filing itself creates a permanent record that spreads through news coverage and social media.

Frequently Asked Questions

Was VRChat actually breached?

No. VRChat confirmed the breach notification was fake. The company said the employee named in the filing does not exist, and they have no evidence of any compromise.

How did fake breach reports get posted to an official government site?

Maine's breach portal allows anyone to submit notifications that are posted publicly without verification. The system was designed for transparency but did not include checks to confirm filing authenticity.

Was Discord also affected by fake breach reports?

A suspicious breach notification claiming 10 million Discord users were affected also appeared on Maine's portal earlier the same week. Maine's AG office confirmed they were investigating.

What data did the fake VRChat breach claim was exposed?

The fraudulent filing claimed hackers accessed usernames, emails, subscription status, login history, device identifiers, IP addresses, and linked Steam or Meta IDs for 2.4 million users. None of this actually happened.

Are other states' breach portals vulnerable to the same abuse?

Potentially. Any state that posts breach notifications publicly without verification could face similar misinformation attacks. States should review their processes after this incident.

Source: BleepingComputer