A disconcerting trend has emerged from **Maine's Office of the Attorney General** data breach disclosure portal: the submission and public posting of fraudulent data breach notifications. These deceptive filings, notably targeting platforms like **VRChat** and **Discord**, have prompted the implicated companies to issue immediate denials, exposing a significant vulnerability in public information dissemination. ### VRChat Targeted by Elaborate Hoax The most recent incident involves a notice purportedly filed by the multiplayer social virtual reality platform, **VRChat**. The fraudulent entry claimed that personal data of over 2.4 million users was exposed following a breach of the company's cloud environment between May 10 and 12. The detailed, yet fabricated, notification letter listed exposed data types including **VRChat** usernames, email addresses, subscription statuses, login histories (device, hardware identifiers, IP addresses), and linked **Steam** or **Meta** user IDs. Despite its convincing appearance, **VRChat** swiftly debunked the claims. **Charles Tupper**, Head of Community at **VRChat**, confirmed to BleepingComputer that the notice was fake, stating, "VRChat did not submit this Notice of Data Incident, and the employee/email cited does not exist. We have no reason to believe that our data or systems have been compromised." **Graham Gaylor**, CEO and co-founder of **VRChat**, corroborated this statement. The company is actively working with the Maine AG's office to have the false filing removed. ### Discord Also a Victim of Misinformation Earlier in the week, **Discord** was similarly targeted with a suspicious data breach notification on the same portal, alleging an impact on 10 million users. Unlike the **VRChat** filing, the **Discord** entry lacked a formal notification letter to consumers. It contained vague, inconsistent, and unreliable information, including a generic Gmail contact and a placeholder phone number, alongside contradictory dates for the breach occurrence and discovery. While **Discord** did experience a data breach in 2025 due to a compromise of its **Zendesk** support system, impacting 5.5 million users, the details in the Maine AG's portal entry bore no resemblance to the actual incident. ### Unverified Submissions: A Critical Flaw The **Maine Office of the Attorney General** confirmed that its portal allows anyone to submit a breach notification form, which is then publicly added without prior verification. "We don’t have any independent knowledge of the breaches, the submitting entity fills out the information and it goes directly onto the site," an AG's office representative stated. This lack of vetting creates an easy avenue for malicious actors to spread misinformation, potentially causing reputational damage and widespread panic before companies are even aware of the false claims. This series of incidents underscores a critical need for enhanced verification processes in public data breach notification systems. For IT security professionals and privacy-conscious users, it serves as a stark reminder of the importance of independently verifying breach notifications directly with affected companies rather than solely relying on public portals, however official they may appear.