Maine breach portal exploited to publish fake data breach disclosures

In an uncommon misinformation marketing campaign, fraudulent knowledge breach disclosures had been submitted to Maine’s official breach portal and made out there to the general public earlier than their legitimacy might be verified, prompting corporations to disclaim the claims.

The discover, allegedly filed by multiplayer social digital actuality platform VRChat, is the most recent entry within the state lawyer common’s infringement disclosure database.

Nevertheless, an organization consultant advised BleepingComputer that the infringement discover was faux and was filed utilizing a fictitious worker’s title.

VRChat is a multiplayer social digital actuality platform constructed on Unity, initially launched for Home windows and Oculus Rift in 2014, the place customers work together as customizable avatars in user-created digital worlds.

The faux VRChat knowledge breach entry states that greater than 2.4 million customers had their private knowledge uncovered to hackers after accessing the corporate’s cloud setting.

The one who submitted the false info labored to create a notification letter for affected people claiming that the hacking incident occurred between Might tenth and twelfth and affected the next kinds of knowledge:

• VRChat username
• E-mail handle related together with your VRChat account
• VRChat+ subscription standing
• Login historical past, together with gadgets, {hardware} identifiers, and IP addresses
• Steam or Meta person ID linked to your VRChat account

At first look, the faux letters seem respectable, stuffed with particulars about unauthorized entry, the outcomes of a forensic investigation, actions taken after the hack was detected, claims that steps have been taken to enhance safety, and what customers ought to do to raised shield their accounts.

Charles Tupper, head of group at VRChat, advised BleepingComputer that the info breach notification within the Maine Lawyer Normal’s Workplace database is fraudulent.

“VRChat has not filed a notification of this knowledge incident and the worker/e mail cited doesn’t exist. We’ve no purpose to imagine that our knowledge or programs had been compromised.”

Tapper added that the corporate is “within the means of contacting the Maine Lawyer Normal’s Workplace to have this eliminated.”

VRChat CEO and co-founder Graham Gaylor additionally confirmed the assertion BleepingComputer obtained from Tapper.

The Maine Lawyer Normal’s Workplace additionally responded to our request for remark, saying that “notices can be filed sooner or later” and that they’re “not conscious of some other cases of intentional misrepresentation in submitting notices.”

Earlier this week, the Maine Lawyer Normal’s Workplace listed one other suspicious knowledge breach notification allegedly from Discord, claiming that 10 million folks had been affected by the info breach.

The Maine Lawyer Normal’s Workplace confirmed to BleepingComputer that anybody can submit a breach notification kind and add it to the portal with out authentication.

Requested concerning the validity of Discord’s knowledge breach grievance, the Maine Lawyer Normal’s Workplace advised BleepingComputer, “We’ve no unbiased data of the breach. The submitting entity will fill out the knowledge and it will likely be posted on to the location. We’ll overview what you report, thanks.”

In contrast to most formal knowledge breach notifications, the Discord entry didn’t embrace a notification letter from the corporate informing shoppers concerning the breach and clarifying what occurred and the way affected folks can shield themselves.

Other than the enterprise handle, the Discord entry contained imprecise and unreliable info, beginning with the title of the particular person sending the notification, a Gmail contact, and a placeholder telephone quantity.

Moreover, the conflicting particulars of the breach, which occurred on July 9, 2024 and was found on August 8, 2025, and the patron notification date of January 1, 2000 clearly point out a false submission.

A knowledge breach affected Discord in 2025, which occurred on September 20 and was attributable to a breach of the corporate’s Zendesk assist desk system.

On the time, the hackers advised BleepingComputer that they stole knowledge on 5.5 million customers from 8.4 million tickets.

Regardless of being revealed on official portals, the effectiveness of knowledge disclosure shouldn’t be taken with no consideration. Inadequate vetting makes it simpler for fraudsters to unfold false info, which might trigger reputational injury and panic earlier than corporations even notice {that a} false utility has been posted.

These bogus filings spotlight the necessity for journalists and shoppers to independently confirm infringement notifications with affected corporations earlier than treating entries on public notification portals as respectable incidents.