“`html
The Office of the Maine Attorney General has temporarily removed its publicly accessible data breach reporting database after uncovering that an unidentified entity submitted counterfeit breach notifications targeting two prominent online platforms, VRChat and Discord, in what officials describe as a calculated misuse of the state’s breach disclosure system.
On June 12, 2026, the Maine Attorney General’s office released an official statement asserting that the alleged data breaches associated with VRChat and Discord were fabrications.
The deceptive submissions were made by an unknown third party with no connection to either organization. Following direct discussions with VRChat, one of the two identified platforms, officials confirmed that the notifications were completely invented. Both spurious entries have since been eliminated from the public database.
Breach Reporting Portal Temporarily Unavailable
According to previous reports, one false submission asserted that Discord experienced an “insider misconduct” incident that compromised the personal information of over 10 million users, while a different entry claimed VRChat disclosed data concerning roughly 2.4 million users, supposedly signed by a non-existent employee. Neither company submitted those reports.
Maine’s breach notification legislation is classified as one of the strictest in the United States; a company is obligated to inform the Attorney General’s office even if merely one Maine resident is impacted by a breach.
This minimal threshold has established Maine’s public portal as a preferred resource for security researchers, journalists, and class-action lawyers seeking early breach notifications.
Importantly, the AG’s office has recognized that submissions proceed directly from the online reporting form to the public portal without independent verification. This open-access structure, while designed to promote transparency and prompt public disclosure, has created a vulnerable point that the unknown perpetrator exploited to introduce misleading information on an authoritative governmental website.
The Maine AG’s office has removed the public breach database temporarily while reviewing internal protocols to prevent future exploitation, while still ensuring public access to valid breach information.
In the meantime, entities required to submit breach notifications can continue to do so via the office’s online reporting service, and those requiring information from existing reports may reach out to the AG’s Consumer Protection Division directly.
This occurrence underscores a fundamental vulnerability in self-reported, auto-published governmental compliance portals. Security experts and journalists should regard all entries in the portal as unverified until confirmed directly by the impacted company.
Genuine large-scale breaches typically elicit corroborating coverage from multiple independent sources, official company advisories, or legal documents, which a fake entry seldom produces all at once.
The identity of the individual or group responsible for the deceptive submissions remains unidentified, and no arrests have been reported at the time of publication.
“`