Maine Takes Data Breach Portal Offline After Fake VRChat and Discord Filings

The Office of the Maine Attorney General has taken its public data breach database offline after fake breach notices impersonated VRChat and Discord. In a June 12 statement, the Maine Attorney General’s office said the reports were hoaxes submitted by an unknown entity unrelated to either company.

The false reports have been removed from the database. The state said it has no knowledge of any recent legitimate data breach reports from either VRChat or Discord.

The public-facing portal will remain offline while the office reviews its procedures. Companies that need to file breach reports can still do so through Maine’s online reporting service, according to the state’s data security breaches page.

What happened with the fake filings

The incident began after breach notices naming VRChat and Discord appeared in Maine’s public breach database. The filings looked official because they appeared on a government website, but the companies had not submitted those reports.

VRChat later published its own explanation, saying it had no reason to believe its data or systems were compromised. The company said the filing used fake VRChat letterhead and listed a person who does not exist, according to the VRChat statement.

BleepingComputer reported that the fake VRChat notice claimed more than 2.4 million people were affected. A separate fake Discord notice reportedly claimed that more than 10 million users were affected by an insider wrongdoing incident, according to BleepingComputer.

Company named in filing	Claim in the fake notice	Current status
VRChat	Alleged breach affecting more than 2.4 million people	VRChat said the notice was fake and it did not file it.
Discord	Alleged insider wrongdoing affecting more than 10 million users	Maine said it has no knowledge of a recent legitimate Discord report.
Maine breach portal	Public database published the disputed filings	The public-facing database is offline pending a procedure review.

Maine says the reports were hoaxes

The official Maine statement said the office became aware of an apparent abuse of its reporting system. After speaking with VRChat, one of the affected companies, the office concluded that the reported breaches were hoaxes.

The statement also said the fake reports were submitted by an unknown entity unrelated to either company. Maine did not name a suspect or describe a motive.

The state said it is reviewing procedures to make similar abuse less likely while preserving public access to legitimate breach information. Until then, members of the public who need information from existing reports must contact the Consumer Protection Division directly.

Why Maine’s portal matters to researchers and journalists

Maine’s breach database has become a widely watched source for early breach disclosures. Security researchers, journalists, threat intelligence firms, and class-action attorneys often monitor state portals because breach notices can appear there before companies publish detailed public statements.

Maine law requires certain entities to report data security breaches to the Attorney General. The state’s breach reporting guidance says reporting entities must notify the Attorney General through the online form when required and make notices without delay.

That public value also created a trust problem. If unverified notices appear automatically, a fake filing can briefly look like an official government-backed confirmation of a major cyber incident.

The portal design created an opening for misinformation

The key issue was not a breach of Maine’s systems. It was the way submitted reports appeared in the public database before independent verification.

BleepingComputer reported that the Maine Attorney General’s office said submitted breach information went directly onto the site and that the office did not have independent knowledge of the claimed breaches before publication.

That process can help legitimate disclosures appear quickly. It can also let a bad actor create a false record on a government website, then use that record to spread panic, phishing campaigns, stock rumors, or reputational damage.

• A fake report appears on a trusted public portal.
• Users, journalists, or researchers see the filing before the company responds.
• Attackers or rumor accounts amplify the claim on social media.
• Customers may receive phishing messages that cite the fake government notice.
• The company must spend time disproving a breach that never happened.

VRChat says no breach occurred

VRChat said the false notice was submitted by an unknown third party and that it did not file any official data breach notice. The company said it found no reason to believe its data or systems were compromised.

The company’s blog post said the fake notice used the name and contact information of a person who does not exist. VRChat said the notice stayed up for several hours before it was removed.

That timeline shows why companies need fast response plans for false regulatory filings. Even a fake entry can be indexed, screenshotted, reported, and shared before the truth catches up.

How to verify breach claims before reporting them

The Maine incident is a reminder that a public breach portal entry should not be treated as final proof by itself. Public records can be wrong, especially when they come from self-reported intake systems.

Security teams and journalists should look for confirmation from the named company, the regulator, customer notification letters, SEC filings where applicable, independent technical evidence, or multiple credible sources.

Verification step	Why it helps
Contact the named company	Confirms whether the company filed the notice or disputes it.
Check the regulator’s statement	Shows whether the filing has been reviewed or removed.
Compare with official company channels	Real incidents often lead to customer notices or public updates.
Review technical indicators	Helps separate a breach claim from a paperwork hoax.
Avoid repeating raw claims too early	Reduces the risk of spreading misinformation.

Public access remains paused, but filings continue

The shutdown affects public access to the database, not the legal reporting process itself. Organizations that need to file breach reports can still use Maine’s online reporting service.

For the public, researchers, and reporters, the state says requests for existing report information should go to the Attorney General’s Consumer Protection Division. Maine has not announced a public restoration date for the database.

The immediate takeaway is clear: the VRChat and Discord filings were not legitimate breach notices, and Maine has taken the public portal offline while it reviews how to prevent similar abuse in the future.

FAQ