Maine Breach Portal Vulnerability
Maine's official breach portal has been abused to publish fake data breach disclosures, prompting companies to deny the claims. The most recent entry in the state Attorney General's breach disclosure database is a notice allegedly filed by multiplayer social virtual reality platform VRChat.
However, a company representative told BleepingComputer that the breach notification is fake and has been filed using the name of a fictitious employee. The fake VRChat data breach entry notes that personal data of more than 2.4 million users was exposed to hackers after they gained access to the company's cloud environment.
False Breach Notification
The false notification letter claimed that the hacking incident occurred between May 10 and 12 and impacted the following types of data: VRChat username, email address associated with a VRChat account, VRChat+ subscription status, login history, including device, hardware identifiers, and IP addresses, and Steam or Meta user ID linked to a VRChat account.
Charles Tupper, Head of Community at VRChat, told BleepingComputer that the data breach notification in the database of the Maine Office of the Attorney General is fraudulent:
VRChat did not submit this Notice of Data Incident, and the employee/email cited does not exist. We have no reason to believe that our data or systems have been compromised.
Tupper added that the company is in the process of contacting the Maine Attorney General's office to have this removed. Graham Gaylor, the CEO and co-founder of VRChat, also confirmed the statement BleepingComputer received from Tupper.
Maine Attorney General's Response
The Maine Office of the Attorney General also responded to our request for comments and said that the notice will be coming down and that they were not aware of another example of intentional misrepresentation of the notice filings.
Earlier this week, the Maine Attorney General's Office listed another suspicious data breach notification allegedly from Discord, which claimed that 10 million people were impacted by a data breach. Maine's Attorney General Office confirmed to BleepingComputer that anyone can submit a breach notification form and have it added to the portal without verification.
Lack of Verification
The Discord entry did not include a notification letter from the company informing consumers about the breach, disclosing what happened and how those impacted can protect themselves. Apart from the company address, the Discord entry included vague and unreliable information, starting with the name of the person submitting the notice, a Gmail contact, and a placeholder phone number.
Furthermore, the details about the breach occurring on July 9, 2024, and being discovered on August 8, 2025, along with an inconsistent consumer notification date of January 1st, 2000, are clear indications of a false submission. Although a data breach did impact Discord in 2025, it occurred on September 20 and was due to a compromise of the company's Zendesk support desk system.
These fake filings highlight the need for journalists and consumers to independently verify breach notifications with affected companies before treating entries on public notification portals as legitimate incidents.
- Test every layer before attackers do
- Security teams log 54% of successful attacks and alert on just 14%.
- The rest move through your environment unseen.
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.
Source: BleepingComputer