Scammers submitted bogus data breach notifications to Maine's official Attorney General portal, falsely implicating VRChat and Discord. The incidents expose a structural weakness: anyone can file a breach notice, and it goes live with zero verification.
A virtual reality platform with millions of users woke up to find itself named in an official state data breach disclosure. The catch? It never filed one, and the employee listed on the paperwork does not exist.
Maine's Office of the Attorney General runs one of the more widely watched data breach notification portals in the United States. Journalists, researchers, and consumers treat it as a reliable early signal that a company has been compromised. That trust is exactly what got abused. As reported by BleepingComputer, fraudulent breach disclosures were submitted to the portal and published before anyone verified them, forcing the named companies to publicly deny incidents that never happened.
What got filed
The most recent fake entry carried the name of VRChat, the multiplayer social VR platform built on Unity and originally released in 2014 for Windows and Oculus Rift. The bogus notice claimed that personal data belonging to more than 2.4 million users had been exposed after attackers breached the company's cloud environment.
Whoever submitted it did real homework. The filing included a drafted notification letter for affected individuals, dated the supposed intrusion to between May 10 and 12, and listed specific data categories that would actually exist in VRChat's systems:
- VRChat username
- The email address tied to a VRChat account
- VRChat+ subscription status
- Login history, including device, hardware identifiers, and IP addresses
- The Steam or Meta user ID linked to the account
The letter read like the real thing. It described unauthorized access, referenced a forensic investigation, listed remediation steps, and walked users through protecting their accounts. At a glance, nothing looked off.
It was entirely fabricated. Charles Tupper, Head of Community at VRChat, told BleepingComputer that the company never submitted the notice and that the cited employee and email address do not exist. "We have no reason to believe that our data or systems have been compromised," he said, adding that VRChat is working to get the entry removed. CEO and co-founder Graham Gaylor confirmed the statement.
The Attorney General's office responded that "the notice will be coming down" and said it was "not aware of another example of intentional misrepresentation of the notice filings."
A pattern, not a one-off
Except it was not isolated. Earlier the same week, the portal listed a suspicious filing attributed to Discord, claiming 10 million people were impacted. This one was sloppier than the VRChat fake, and the inconsistencies gave it away. The submitter used a Gmail address and a placeholder phone number. The breach was dated to July 9, 2024, with a discovery date of August 8, 2025, and a consumer notification date listed as January 1st, 2000. No company would notify customers six years before discovering an incident.
There is a real Discord breach to confuse it with, which is likely the point. In 2025, Discord's Zendesk support system was compromised, and the attackers claimed to have stolen data on 5.5 million users from 8.4 million support tickets. The fake filing borrows the credibility of a genuine incident while getting every verifiable detail wrong.
The structural problem
The Maine Attorney General's office was candid about why this works. "Anyone can submit a breach notification form and have it added to the portal without verification," the office confirmed. "We don't have any independent knowledge of the breaches, the submitting entity fills out the information and it goes directly onto the site."
That design made sense for its original purpose. Breach notification laws exist to push companies toward fast, low-friction disclosure, and adding verification gates would slow legitimate filings. The tradeoff is that the same open door lets a bad actor publish a convincing lie under an official government banner. The reputational damage and consumer panic can land before the named company even knows a filing exists.
This is a familiar failure mode in security: a system optimized for one threat model gets repurposed by an attacker working against a different one. The portal was built to make companies disclose. It was never built to stop impersonators from disclosing on a company's behalf.
Practical takeaways
For security teams and communications staff, the lesson is that monitoring should not stop at watching for your own filings. Set up alerts for your organization's name appearing in state breach portals, because the first you hear of a fake disclosure may be a customer asking why their data was stolen.
For journalists and consumers, the rule is straightforward: an entry on an official portal is a lead, not a confirmed fact. Verify directly with the named company before treating a filing as a real incident. The telltale signs of a fabricated notice include free-email contact addresses, placeholder phone numbers, impossible or contradictory dates, and the absence of an actual consumer notification letter.
The broader takeaway is uncomfortable but useful. Official does not mean verified. A government URL lends authority that the underlying data may not have earned, and attackers understand that borrowed trust is often easier to exploit than a technical vulnerability. Until breach portals add even lightweight authentication for submitters, the burden of verification falls on everyone downstream who reads them.
Comments
Please log in or register to join the discussion