"The Office of the Maine Attorney General has been made aware of an apparent abuse of our data breach reporting system," the state's statement reads, bluntly summarizing why Maine has taken its public data breach reporting portal offline.
Maine Attorney General's Office: system taken offline and reviews underway
The Maine Attorney General's Office acknowledged that false data breach "hoaxes" were submitted through the state's reporting system and said those false reports have been removed from the database. In its statement the office said it had "no knowledge of any recent legitimate data breach reports from either VRChat or Discord," naming the two companies whose identities were used in the fraudulent filings.
The office has temporarily disabled public access to the breach notification database while it reviews reporting procedures "to reduce similar abuse in the future." The portal remains open for companies to submit breach notifications, but members of the public seeking copies of disclosures must now contact the Attorney General's Office directly.
VRChat and Discord: fraudulent notices and responses
BleepingComputer reported that fake disclosures had been filed impersonating Discord and the multiplayer social virtual reality platform VRChat. According to the reporting, the fraudulent VRChat filing claimed a data breach impacting over 2.4 million people and included a fabricated employee contact name in the disclosure.
VRChat told BleepingComputer the filing was fraudulent and said it had not submitted the notice to Maine authorities, and that the submission used the name of a fictitious employee. BleepingComputer also contacted Discord about the fraudulent notice submitted to the site but did not receive a response. The Attorney General's Office said the hoaxes were submitted by "an unknown entity unrelated to either company."
Automatic publication: how submissions reached the public
Prior to the shutdown, submitted breach notices were automatically published to the public database. The Attorney General's Office described the workflow in frank terms: "We don’t have any independent knowledge of the breaches, the submitting entity fills out the information and it goes directly onto the site."
That automatic pipeline — designed to make breach disclosures publicly visible without a separate verification step — is what allowed the fraudulent filings to appear as official notices. The office told BleepingComputer it will review flagged submissions, and has removed the known hoaxes.
Journalists, researchers, and threat intelligence firms: access curtailed
Maine's data breach portal is commonly used by journalists, researchers, and threat intelligence firms to monitor newly disclosed security incidents and to determine whether organizations are reporting cyberattacks or data breaches affecting consumers. With public access disabled, those users lose direct access to the database and must now request disclosures from the Attorney General's Office.
It is unclear how many additional fraudulent breach notices may have been submitted through the portal before the state suspended public access to the database, leaving researchers and reporters with uncertainty about what other entries may have been affected.
What this demonstrates and what comes next
The incident demonstrates how automatically published breach disclosures can be abused to spread misinformation and damage a company's reputation. In response, the Maine Attorney General's Office has removed the false reports, disabled public access to the portal, and said it will review reporting procedures to reduce future abuse. Companies may continue to file notices through the service, but public retrieval of those filings is now mediated by the Attorney General's Office.
The fundamental question left by the episode is procedural: how will the state balance rapid public disclosure against controls that prevent spoofing and fraud? Maine's next steps — the technical and policy changes that emerge from its review — will determine whether a public breach registry can remain both timely and resilient to manipulation.
Original reporting: BleepingComputer — Maine disables data breach notification portal after fake disclosures
