The Maine Attorney General’s Office has decided to temporarily disable its data breach reporting portal following the submission of false breach notifications involving VRChat and Discord. The fake filings were identified as a deliberate misuse of the state’s breach disclosure system by an unknown entity.
Background of the Incident
On June 12, 2026, officials from the Maine Attorney General’s Office made a public announcement confirming that the alleged data breaches concerning VRChat and Discord were entirely fabricated. These false reports were submitted by an unidentified third party with no connection to either company. Direct verification with VRChat revealed the notifications to be fictitious, leading to their removal from the public database.
Details of the False Filings
Reports prior to the suspension noted that one fraudulent filing claimed Discord experienced an ‘insider wrongdoing’ that compromised data of over 10 million users, while another alleged VRChat leaked information on 2.4 million users, supposedly signed by a non-existent employee. Neither company was responsible for these reports.
Maine’s stringent breach notification law necessitates companies to inform the AG’s office of any breach affecting just a single resident. This law has made the portal a crucial resource for security analysts, journalists, and legal professionals seeking early breach disclosures.
Response and Future Measures
The AG’s office acknowledged that the portal’s design allowed submissions to be published without prior verification, creating a vulnerability exploited by the fraudulent entity. In response, the public-facing database has been taken offline to review and improve internal controls to prevent future abuses while maintaining accessibility to legitimate data.
During this interim period, necessary breach reports can still be filed through the online service, and inquiries regarding current reports can be directed to the AG’s Consumer Protection Division.
Implications and Recommendations
This incident underscores a critical weakness in self-reporting government portals that automatically publish entries. Security experts and journalists are advised to treat all portal entries as preliminary until validated by the involved companies. Genuine large-scale data breaches usually result in widespread media coverage, official advisories, or legal proceedings, unlike isolated false entries.
The identity of those behind the deceptive submissions has yet to be uncovered, with no arrests reported at the time of this publication.
Stay informed by following us on Google News, LinkedIn, and X for more real-time updates.
