Skip to content

Fake Data Breach Disclosures Flood Maine’s Official Breach Portal

In an unusual case of misinformation, fraudulent data breach disclosures have been submitted to Maine’s official breach portal. The submissions, which were posted before their legitimacy could be verified, prompted companies like VRChat and Discord to deny the claims.

The most recent entry in the state Attorney General’s breach disclosure database is a notice allegedly filed by multiplayer social virtual reality platform VRChat. However, a company representative told BleepingComputer that the breach notification is fake and was submitted using the name of a fictitious employee.

According to the fake VRChat data breach entry, personal data of more than 2.4 million users was exposed to hackers after they gained access to the company’s cloud environment. The submission included details about unauthorized access, results of a forensic investigation, actions taken after detecting the hack, and claims that steps have been taken to increase security.

Charles Tupper, Head of Community at VRChat, confirmed that the data breach notification in the database is fraudulent: “VRChat did not submit this Notice of Data Incident, and the employee/email cited does not exist. We have no reason to believe that our data or systems have been compromised.” Tupper added that the company is “in the process of contacting the Maine Attorney General’s office to have this removed.”

Graham Gaylor, the CEO and co-founder of VRChat, also confirmed the statement BleepingComputer received from Tupper.

The Maine Office of the Attorney General responded to our request for comments and said that “the notice will be coming down” and that they were “not aware of another example of intentional misrepresentation of the notice filings.”

Earlier this week, the Maine Attorney General’s Office listed another suspicious data breach notification allegedly from Discord, which claimed that 10 million people were impacted by a data breach. The entry did not include a notification letter from the company informing consumers about the breach, disclosing what happened and how those impacted can protect themselves.

The details of the alleged breach in the Discord entry are also questionable. It claims that the breach occurred on July 9, 2024, and was discovered on August 8, 2025, with an inconsistent consumer notification date of January 1st, 2000. Furthermore, the submission included vague and unreliable information.

A data breach did impact Discord in 2025, but it occurred on September 20 and was due to a compromise of the company’s Zendesk support desk system. At the time, the hackers told BleepingComputer that they had stolen data of 5.5 million users from 8.4 million tickets.

The validity of data disclosures is not to be taken for granted as inadequate vetting makes it easy for scammers to spread misinformation, potentially causing reputational harm and panic before companies even become aware that a false filing has been posted.

These fake filings highlight the need for journalists and consumers to independently verify breach notifications with affected companies before treating entries on public notification portals as legitimate incidents.

Source: Original article

Leave a Reply

Your email address will not be published. Required fields are marked *