Emerging ThreatsData Breaches

Maine Breach Portal Exposed to Fake Data Breach Disclosures

Analyst 207||Source: BleepingComputer
Laptop screen displays data breach notice in government office setting.
"VRChat did not submit this Notice of Data Incident, and the employee/email cited does not exist. We have no reason to believe that our data or systems have been compromised," Charles Tupper, Head of Community at VRChat, told BleepingComputer after a fraudulent breach notice using the company's name appeared on Maine’s official breach disclosure portal.

Maine Office of the Attorney General's breach portal

The portal run by the Maine Office of the Attorney General hosts public data-breach notices submitted through an online form. According to the office, anyone can submit a breach notification form and have it added to the portal without independent verification. The office told BleepingComputer that they do not have independent knowledge of the breaches and that "the submitting entity fills out the information and it goes directly onto the site." After the VRChat filing was flagged, the office said "the notice will be coming down" and that they were "not aware of another example of intentional misrepresentation of the notice filings."

The false VRChat filing

The most recent fraudulent entry was posted under VRChat's name and included a drafted notification letter claiming that personal data of more than 2.4 million users had been exposed after attackers gained access to the company’s cloud environment. The fake letter named a fictitious employee and claimed the incident occurred between May 10 and 12. It listed affected data types as:

  • VRChat username
  • Email address associated with a VRChat account
  • VRChat+ subscription status
  • Login history, including device, hardware identifiers, and IP addresses
  • Steam or Meta user ID linked to a VRChat account

At a cursory glance the letter included plausible incident details — references to unauthorized access, results of a forensic investigation, actions taken after detection, security enhancements, and advice for affected users — but VRChat representatives say the document is fabricated.

The suspicious Discord entry

Earlier the same week, the portal listed another dubious submission alleging a Discord breach that affected 10 million people. Maine's Attorney General's Office confirmed this post as well and told BleepingComputer they would review the flagged entry. The Discord filing used a Gmail contact, a placeholder phone number, and other vague information. It listed a breach date of July 9, 2024, a discovery date of August 8, 2025, and a consumer notification date of January 1, 2000 — inconsistencies that the AG’s office and outside observers flagged as clear indicators of a false submission.

The source notes that Discord did experience a separate, confirmed incident in 2025: a breach on September 20, 2025, tied to a compromise of the company's Zendesk support desk system, in which attackers told BleepingComputer they had stolen data of 5.5 million users from 8.4 million tickets. That confirmed incident is distinct from the suspicious entry posted to Maine’s portal.

Responses from VRChat and the Maine Attorney General

VRChat’s Head of Community, Charles Tupper, told BleepingComputer the notification was fraudulent and that the employee and email listed in the filing do not exist. Graham Gaylor, CEO and co-founder of VRChat, also confirmed Tupper’s statement. VRChat said it had "no reason to believe that our data or systems have been compromised" and that the company was "in the process of contacting the Maine Attorney General's office to have this removed."

The Maine Office of the Attorney General acknowledged the vulnerability in its process — the online form can be used to post a notice immediately and without verification — and said the flagged notices would be reviewed and the VRChat notice removed.

What this means for technologists, journalists, and consumers

  • Technologists and security teams: Public, unvetted postings can cause confusion and reputational damage before an affected company is aware. The incidents underline that portal-hosted notices may require corroboration from a company's official channels before operational responses or public alerts are triggered.
  • Journalists and reporters: The episode highlights the need to independently verify breach disclosures with named companies. The source explicitly advises that journalists should not treat entries on public notification portals as legitimate incidents without confirmation from affected companies.
  • Consumers and end users: A notice listed on an official state portal is not necessarily authoritative. Consumers should wait for direct communication from the affected company or confirmation from the state office rather than reacting to an unverified portal entry.

Maine’s experience shows how a public, low-friction disclosure mechanism intended to increase transparency can be abused to spread misinformation that looks authoritative at first glance. The state has said it will remove the fraudulent VRChat notice and review suspect submissions, while VRChat is seeking removal and has denied any compromise. For now, the practical takeaway in the record left by these filings is simple and specific: verify breach claims with the named company before accepting a portal posting as fact.

Original story

Data BreachEmerging ThreatsSupply Chain AttackVrchatFake Breach DisclosuresMaineBreach PortalNotice Of Data IncidentFraudulent Breach Notice
Related Intelligence

Continue Reading

Server room with open cabinet and empty rack space, showing security access panel.

Japanese Utility Exposes 10.9 Million Client Records in Data Loss Incident

A shocking data loss incident has hit Japanese utility company Kyushu Electric Power Co., Inc., with a staggering 10.9 million client records exposed after an external storage device went missing. The device, last seen on April 27, was found to be missing on May 26, sparking a frantic investigation.

Analyst 207
University campus scene with administrative building, people walking, and laptop on a table.

ShinyHunters Exploits Oracle PeopleSoft Vulnerability in Education Sector Attacks

ShinyHunters hackers have exploited a critical Oracle PeopleSoft vulnerability, CVE-2026-35273, to launch targeted attacks on US organizations, particularly in the higher education sector. The attacks, which involved data theft and extortion, hit a whopping 68% of US higher education institutions.

Analyst 207
University server room with exposed networking equipment, hinting at a cyber breach.

ShinyHunters Breaches Universities via Oracle PeopleSoft Zero-Day Exploit

Hackers have struck 68% of breached organizations in the higher education sector, with a whopping majority being US universities, by exploiting a critical zero-day vulnerability in Oracle PeopleSoft. This severe flaw, rated 9.8/10, allows for remote code execution with no login or user interaction required.

Analyst 207
Russian defendant sits in federal courtroom with officer nearby.

Russian national charged in Void Blizzard cyber-espionage scheme

A Russian national, Denis Nikolayevich Obrezko, has been charged with helping facilitate a massive cyber-espionage scheme that infiltrated at least 11 US companies, with authorities suspecting many more victims nationwide. Obrezko allegedly played a key role in the Void Blizzard campaign by buying a virtual private server and registering domain names used in the intrusions.

Analyst 207