What happened
Maine’s Attorney General’s Office has taken its public-facing data breach reporting portal offline after two fraudulent breach notices were posted, one falsely claiming 2.4 million VRChat customers had been breached and another targeting Discord. Neither company had reported a breach, and the Maine AG’s office confirmed it has no knowledge of any recent legitimate breach reports from either organization.
The fake notices were submitted without verification, exploiting the portal’s historically open submission process that allowed companies to post notices without prior review. The VRChat notice appeared on fake company letterhead under the name of a nonexistent employee. VRChat stated the notice remained live for several hours despite its requests for removal. Both fraudulent notices have since been taken down.
Maine is still accepting breach reports from companies but has suspended public access to the portal while it audits its procedures. Members of the public can contact the AG’s office directly to inquire about existing reports. The office stated it is reviewing procedures to make abuse less likely while preserving public availability of the information.
Who is affected
The immediate reputational harm fell on VRChat and Discord, whose names were falsely associated with major breaches. The broader impact affects security researchers, journalists, and threat intelligence professionals who rely on the Maine portal as a publicly accessible breach disclosure resource, as its offline status removes a key reference point for the security community.
Why CISOs should care
The Maine portal’s submission-without-review model created a trust problem that bad actors have now demonstrated willingness to exploit. For security leaders, the incident highlights two distinct risks: the reputational damage that fraudulent breach notices can inflict on organizations named in them, and the loss of a reliable public data source that many threat intelligence workflows depend on.
The ease of the abuse also suggests that other state breach reporting portals with similar open submission models may face comparable exploitation attempts.
3 practical actions
- Monitor state breach reporting portals for fraudulent notices naming your organization: The Maine incident demonstrates that fake breach disclosures can appear on official government portals without verification. Establish monitoring for your organization’s name across state AG breach databases and set up alerts that would flag a new listing so you can respond quickly if a fraudulent notice appears.
- Prepare a rapid public denial response template for false breach claims: VRChat took several hours to get the fake notice removed. Having a pre-approved public statement template that clearly denies a breach, explains the fraudulent nature of the report, and directs stakeholders to official channels allows faster response when reputational damage is accumulating in real time.
- Engage with your state AG’s office proactively to understand breach reporting procedures and escalation contacts: The VRChat statement indicated Maine was slow to respond to removal requests. Establish a direct contact relationship with your relevant state AG’s cybersecurity or consumer protection team before an incident occurs, so you have a known escalation path if a fraudulent notice affecting your organization appears.
John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.