The Office of the Maine Attorney General has temporarily taken its public-facing data breach reporting database offline after discovering that an unknown entity submitted fabricated breach notifications targeting two major online platforms, VRChat and Discord, in what officials are calling a deliberate abuse of the state’s breach disclosure system.

On June 12, 2026, the Maine Attorney General’s office issued a formal statement confirming that the reported data breaches involving VRChat and Discord were hoaxes.

The false filings were submitted by an unidentified third party with no affiliation to either company. After direct conversations with VRChat, one of the two named organizations, officials confirmed the notifications were entirely fabricated. Both fraudulent entries have since been removed from the public database.

Breach Reporting Portal Offline

According to earlier reporting, one fake filing claimed that Discord suffered an “insider wrongdoing” incident that exposed the personal data of more than 10 million users, while a separate filing alleged VRChat leaked data on approximately 2.4 million users signed by an employee who does not exist. Neither company filed those reports.

Maine’s breach notification law is among the strictest in the United States a company must notify the AG’s office even if just one Maine resident is affected by a breach.

This low threshold has made Maine’s public portal a go-to reference for security researchers, journalists, and class-action attorneys seeking early breach disclosures.

Critically, the AG’s office has acknowledged that submissions flow directly from the online reporting form onto the public portal without independent verification. This open-access design, while intended to ensure transparency and timely public disclosure, created an exploitable gap that the unknown actor leveraged to plant false information on an authoritative government website.

The Maine AG’s office has taken the public-facing breach database offline while it reviews internal procedures to prevent future abuse, while still preserving public access to legitimate breach data.

In the interim, entities required to file breach reports can continue doing so through the office’s online reporting service, and those needing information from existing reports can contact the AG’s Consumer Protection Division directly.

This incident highlights a systemic vulnerability in self-reported, auto-published government compliance portals. Security professionals and journalists should treat all portal entries as unverified until confirmed directly by the affected company.

Real large-scale breaches typically generate corroborating coverage across multiple independent outlets, official company advisories, or legal filings a fake entry rarely produces all three simultaneously.

The identity of the individual or group behind the fraudulent submissions remains unknown, and no arrests have been reported as of the time of publication.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates.