Maine Shuts Down Breach Portal After Fake Discord, VRChat Filings
Key Takeaways
- Maine disabled its public breach notification portal after fraudulent filings impersonating Discord and VRChat were discovered
- The portal auto-published submissions without verification, allowing anyone to post fake breach disclosures to a government website
- Companies can still submit breach notifications, but public access to the database requires contacting the Attorney General's Office directly
What Happened
Maine's Attorney General Office has temporarily shut down public access to its data breach notification database. The reason: someone submitted fake breach disclosures impersonating Discord and VRChat, and the system published them automatically to the state's official website.
The fraudulent VRChat filing claimed a breach affecting 2.4 million users. A similar fake filing claimed Discord had been breached, affecting 10 million users. Neither breach actually occurred.
BleepingComputer first reported the fake disclosures on June 11. When contacted, VRChat confirmed the filing was fraudulent and had been submitted using the name of a fictitious employee. Discord did not respond to requests for comment.
The Core Problem: No Verification
The Maine portal was designed for transparency. Companies experiencing data breaches are required to notify affected consumers and state authorities. Maine's system made these disclosures publicly accessible, which journalists, researchers, and threat intelligence firms used to track security incidents.
But the system had a critical flaw: submissions were published directly to the public database without verification. Anyone could submit a filing claiming to represent any company.
“We don't have any independent knowledge of the breaches, the submitting entity fills out the information and it goes directly onto the site.”
— Maine Attorney General's Office, statement to BleepingComputer
This design treated government credibility as inherent rather than earned. A filing on a .gov domain carries implicit authority. Researchers and journalists monitoring the portal would have no reason to doubt a disclosure's authenticity until contacting the company directly.
The State's Response
In a statement published Friday, the Maine Attorney General's Office acknowledged the "hoaxes" and said it has removed the fake reports from the database.
"The Office of the Maine Attorney General has been made aware of an apparent abuse of our data breach reporting system," the statement reads. "After conversations with VRChat, one of two affected companies, it has become clear that the reported data breaches were hoaxes submitted by an unknown entity unrelated to either company."
The office confirmed it has no knowledge of any recent legitimate data breach reports from either VRChat or Discord.
Going forward, companies can still submit breach notifications through the reporting service. But members of the public who want copies of disclosures must now contact the Attorney General's Office directly. The state says it is reviewing its procedures to prevent similar abuse.
Why This Matters
This incident demonstrates a growing attack vector: weaponizing government credibility. Automated systems that publish to official domains without verification become tools for misinformation.
The damage potential is significant. A fake breach disclosure on a government website could tank a company's stock price before anyone verifies the claim. It could trigger regulatory scrutiny, media coverage, and customer panic. The company would need to prove a negative, a notoriously difficult task.
On Hacker News, commenters criticized the lack of basic authentication. Requiring a corporate domain email or official documentation would have prevented this abuse. On Reddit's r/cybersecurity, users noted that automated government databases are increasingly targeted precisely because they carry inherent authority.
The fix seems obvious in hindsight: verify before publishing. But many government systems were built for a different threat model. They assumed bad actors would target the data, not the credibility of the platform itself.
What Comes Next
Maine has not announced what verification procedures it will implement. Options range from simple email confirmation from corporate domains to more rigorous identity verification.
The broader question is how many other state breach portals have similar vulnerabilities. Most states require breach notification, and many maintain public databases. If Maine's system could be abused this easily, others likely can too.
For companies, this is a reminder to monitor breach notification portals for filings made in their name. A fake disclosure could circulate for days before anyone notices.
Logicity's Take
This was a predictable failure. Publishing unverified legal documents to a .gov domain and trusting submitters to be honest was never going to end well. The real story is not that it happened. The story is that it took this long for someone to exploit it. Other states should audit their systems now, not after their own incident makes headlines.
Frequently Asked Questions
Was there actually a Discord or VRChat data breach?
No. Both filings were fraudulent. VRChat confirmed to BleepingComputer that its filing was fake and submitted by an unknown party using a fictitious employee name. The Maine AG's Office has removed both fake reports.
Can I still access Maine's data breach database?
Not directly. Maine has disabled public access while it reviews its procedures. If you need copies of breach disclosures, you must now contact the Attorney General's Office directly.
How did fake breach notices get published on a government website?
Maine's system automatically published submitted breach notifications without verification. Anyone could submit a filing claiming to represent any company, and it would appear on the state's official website.
Do other states have similar vulnerabilities in their breach portals?
Potentially. Most states require breach notification and many maintain public databases. The extent to which other states verify submissions before publishing is unclear.
What should companies do to protect themselves from fake breach filings?
Monitor state breach notification portals for filings made in your company's name. Set up alerts or periodically check major state databases to catch fraudulent disclosures early.
Need Help Implementing This?
If you're concerned about monitoring breach notification portals or assessing your exposure to similar credential-based attacks, we can help you build a monitoring strategy. Reach out to our team for guidance on protecting your organization's reputation from misinformation campaigns.
Source: BleepingComputer
Manaal Khan
Tech & Innovation Writer
Related Articles
Browse all
Kraken Crypto Exchange Extortion: Hackers Threaten to Leak Internal Videos After Insider Breach
Cryptocurrency exchange Kraken is being extorted by hackers who obtained videos of internal systems through bribed support employees. The company says no funds were compromised and refuses to pay, with only about 2,000 accounts affected. Kraken is working with federal law enforcement to prosecute everyone involved.
Windows 11 KB5083769 and KB5082052: April 2026 Patch Tuesday Brings Smart App Control Changes and Security Fixes
Microsoft's April 2026 Patch Tuesday updates are now live for Windows 11, bringing critical security patches alongside a welcome change to Smart App Control. You can finally toggle SAC on or off without wiping your entire system. The updates cover versions 23H2, 24H2, and 25H2.
Zero Trust Identity Security: 5 Ways This Framework Actually Stops Credential Theft
Stolen credentials caused 22% of breaches in 2025, making them the top attack vector. Zero Trust promises to fix this, but only when it's built around identity as the core principle. Here's how organizations can implement it properly.
Open Source PR Backlogs: Why Your GitHub Contribution Sits Unreviewed for a Year
A developer's Jellyfin pull request has been waiting over a year for merge despite two approvals, exposing a systemic crisis in open source maintenance. Queuing theory explains why backlogs grow exponentially, and 60% of maintainers have quit or considered quitting due to burnout.
Also Read
4 Smart Home Devices That Work Better on Zigbee or Thread
Wi-Fi is great for streaming cameras, but it's often the wrong choice for sensors, locks, and switches. These four device types run longer on batteries and respond faster when you skip Wi-Fi entirely and use Zigbee or Thread instead.
How to Use Claude to Organize Your Obsidian Vault Automatically
A MakeUseOf writer tested a simple workflow: drop notes into an inbox folder, let Claude read your entire vault, and surface connections you forgot existed. The method eliminates manual filing, tagging, and folder maintenance while revealing patterns across months of notes.
5 Portable Windows Benchmark Tools That Fit on a USB Stick
A curated set of zero-install benchmark utilities lets IT pros and enthusiasts diagnose any Windows PC without leaving software artifacts behind. These portable tools cover storage, CPU, GPU, and system sensors, all running directly from a flash drive.