“After conversations with VRChat, one of two affected companies, it has become clear that the reported data breaches were hoaxes submitted by an unknown entity unrelated to either company,” the Office of the Maine Attorney General said in a June 12 statement.
Office of the Maine Attorney General takes public portal offline
The state of Maine has removed its public-facing database of breach reports from the internet while it reviews procedures to prevent future abuse, the attorney general’s office said. The office announced the database “will remain unavailable” during that review and confirmed the false entries have been removed.
The statement made clear the office intends to preserve public availability of breach information “while preserving the public availability of such information,” and said it is undertaking a procedural review aimed at making similar abuses “less likely in the future.”
The fake filings: VRChat and Discord named in the filings
Two false reports impersonated recognizable service providers. One impersonated video game developer VRChat, using a made-up employee name and claiming an incident impacted 2.4 million people. The other purported to notify users of a breach at Discord and claimed 10 million users were affected. The attorney general’s office said it has “no knowledge of any recent legitimate data breach reports from either VRChat or Discord.”
How the VRChat filing was presented
Infosecurity reviewed one of the submitted items and found it was a convincing fake. The document claimed that “an unauthorized third party accessed certain user account information between May 10-12, 2026.” It listed stolen information in bullet points — including username, email address and subscription history — and included sections describing remediation steps and next steps for victims. According to the attorney general’s office, those reports were hoaxes and have been removed from the database.
Continuity for reporters and access to historic notifications
While the public-facing database is offline, the Maine attorney general’s office said entities that need to submit a data breach report “can continue to do so through our online reporting service.” The office directed anyone seeking access to historic breach notifications to contact the office’s consumer protection division directly via email.
What this means for technologists, policymakers, and end users
- Technologists and security teams: The incident highlights the risk that public-facing reporting mechanisms can be used to publish fraudulent materials; the office’s stated procedural review is the immediate response named by officials.
- Policymakers and regulators: The state’s decision to take the database offline while reviewing procedures illustrates a trade-off the attorney general described between public availability and preventing abuse.
- End users and the general public: The attorney general’s office advised that the specific notifications for VRChat and Discord were hoaxes and recommended that anyone seeking historic notifications contact the consumer protection division by email; entities still should use the online reporting service to file reports during the outage.
The episode comes as the Identity Theft Resource Center reported a record 3,332 publicly reported data breaches in the U.S. last year — a 5% annual increase that impacted around 279 million individuals — underscoring the volume of reporting that public systems can be required to handle.
The portal will remain offline until the attorney general’s office completes its review and implements measures to reduce the risk of similar fraudulent submissions. In the meantime, legitimate reporting channels remain available and historic records can be requested directly from the consumer protection division.
