In a troubling case of deception, bogus data breach disclosures were uploaded to Maine’s official data breach portal and appeared publicly before their truthfulness could be checked, resulting in affected companies publicly refuting the claims.
The latest entry in the state Attorney General’s breach disclosure log is a filing that appears to originate from VRChat, a multiplayer social virtual reality platform.
However, a spokesperson from VRChat informed BleepingComputer that the disclosure is forged and was created using a fictitious employee identity.
VRChat is a social virtual reality platform built on Unity that launched for Windows and Oculus Rift in 2014, allowing users to interact through customizable avatars in environments made by the community.
The fabricated VRChat data breach entry claims that hackers accessed the company’s cloud environment, leading to the exposure of sensitive personal information belonging to more than 2.4 million users.
The person behind the false submission even crafted a notification letter addressed to affected individuals, which stated that the hacking incident took place from May 10 to 12 and included the compromise of the following data categories:
- VRChat username
- Email address linked to a VRChat account
- VRChat+ subscription status
- Login activity details, including device type, hardware identifiers, and IP addresses
- Steam or Meta account identifier tied to a VRChat account
At first glance, the fake letter gives the impression of being authentic, containing thorough explanations of unauthorized access, conclusions drawn from a forensic investigation, measures implemented once the breach was detected, assurances that security improvements have been made, and guidance on steps users should take to better safeguard their accounts.
Charles Tupper, Head of Community at VRChat, told BleepingComputer that the data breach disclosure listed in the Maine Office of the Attorney General’s records is entirely fabricated:
“VRChat did not submit this Notice of Data Incident, and the employee/email cited does not exist. We have no reason to believe that our data or systems have been compromised.”
Tupper further stated that the company is “in the process of contacting the Maine Attorney General’s office to have this removed.”
Graham Gaylor, the CEO and co-founder of VRChat, also confirmed the statement BleepingComputer had received from Tupper.
The Maine Office of the Attorney General also replied to our inquiry and confirmed that “the notice will be coming down” and that they were “not aware of another example of intentional misrepresentation of the notice filings.”
Earlier in the week, the Maine Attorney General’s Office posted another questionable data breach notification, this time supposedly from Discord, which claimed that 10 million people had been affected by a data breach.
Maine’s Attorney General Office verified to BleepingComputer that anyone is able to submit a breach notification form and have it displayed on the portal without any verification process.
“We don’t have any independent knowledge of the breaches, the submitting entity fills out the information and it goes directly onto the site. We will review the one you’ve flagged, thank you,” the Maine Attorney General’s Office told BleepingComputer when asked about the authenticity of the Discord data breach submission.
Unlike the majority of official data breach notices, the Discord entry did not include a company-issued notification letter explaining the breach to consumers, outlining what transpired and advising those affected on how to protect themselves.
Apart from the company address, the Discord entry contained vague and questionable information, beginning with the name of the individual filing the notice, a Gmail email address, and a placeholder telephone number.
Additionally, the timeline of the breach supposedly occurring on July 9, 2024, being discovered on August 8, 2025, along with an inconsistent consumer notification date of January 1st, 2000, are glaring indicators that the submission is falsified.
Although Discord did experience a genuine data breach earlier in 2025, it occurred on September 20 and was the result of hackers compromising the company’s Zendesk support desk system.
At the time, the hackers informed BleepingComputer that they had extracted data from 5.5 million users out of a pool of 8.4 million support tickets.
Even though these disclosures appear on an official government portal, their authenticity should not be assumed, as weak vetting procedures create an opening for bad actors to spread false information, potentially inflicting reputational damage and causing unnecessary alarm before affected companies are even aware that a fake filing has been made public.
These fraudulent filings underscore the importance of journalists and consumers independently confirming breach notifications with the implicated companies before treating entries on public notification portals as confirmed incidents.
Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.
Get the whitepaper
