The Maine Attorney General’s Office has temporarily disabled its public data breach reporting portal following the submission of fraudulent breach notifications concerning VRChat and Discord. These false reports, filed by an unidentified party, alleged significant data exposures affecting millions of users.
On June 12, 2026, the Attorney General’s Office confirmed that the breach reports for VRChat and Discord were fabricated. Direct communication with VRChat verified that the company had not experienced any such incident, and the purported employee who filed the report does not exist. Consequently, both false entries have been removed from the public database.
One of the fraudulent filings claimed that Discord suffered an ‘insider wrongdoing’ incident exposing the personal data of over 10 million users. Another alleged that VRChat leaked information on approximately 2.4 million users. Neither company filed these reports, and both have been confirmed as false.
Maine’s breach notification law mandates that companies report any data breach affecting even a single resident. This stringent requirement has made the state’s public portal a valuable resource for security researchers, journalists, and legal professionals seeking early breach disclosures.
However, the Attorney General’s Office acknowledged that submissions from the online reporting form were published directly to the public portal without independent verification. This process allowed the unidentified party to exploit the system by posting false information on an official government website.
In response, the Attorney General’s Office has taken the public-facing breach database offline to review and enhance internal procedures, aiming to prevent future misuse while maintaining public access to legitimate breach data. Entities required to file breach reports can continue to do so through the office’s online reporting service, and those seeking information from existing reports are advised to contact the Consumer Protection Division directly.
This incident underscores the vulnerabilities inherent in self-reported, auto-published government compliance portals. It serves as a reminder for security professionals and journalists to verify breach reports through multiple sources, including official company statements and legal filings, before accepting them as accurate.
