Maine Closes Data Breach Portal After Fake Reports Filed
Maine shut its public data breach portal after fake notices for VRChat (2.4M alleged victims) and Discord were posted.
Executive Summary
Maine’s attorney general has taken its public data breach reporting portal offline after at least two fraudulent notices were submitted — one claiming a breach of 2.4 million VRChat users and another targeting Discord. The portal, widely used by security researchers and journalists to track breach notifications, will remain inaccessible to the public until an audit of submission procedures is completed, according to a press release from the Maine attorney general’s office.
Technical Analysis
The Maine data breach portal, operated by the state’s attorney general, has long been a free resource for tracking corporate breach disclosures under Maine’s data breach notification law. The portal allowed companies to submit breach notices with minimal verification — a design choice that made it valuable for transparency but also vulnerable to abuse.
On June 11, 2026, a fake notice was posted under the name of a nonexistent VRChat employee, claiming 2.4 million customers of the virtual reality social platform had been breached. The submission used counterfeit VRChat letterhead. A second fraudulent notice was posted for Discord. The Maine attorney general’s office confirmed in a press release that both were “hoaxes” and that the office has “no knowledge of any recent legitimate data breach reports” from either company.
VRChat issued a statement saying the company requested the fake notice be removed but that Maine did not act quickly. “Despite our best efforts, this notice remained up for several hours,” VRChat said. “We want to make it perfectly clear that we have no reason to believe that our data and systems were compromised, and we did not submit any official notice about a data breach.”
The Record, which first reported the closure, noted that additional fraudulent notices may have been posted, but Maine only identified the Discord and VRChat submissions as confirmed hoaxes. The portal’s lack of pre-submission review made it easy to exploit — a vulnerability that security researchers had previously flagged as a risk.
Mitigations & Recommendations
Defenders who relied on the Maine portal for breach intelligence should monitor alternative state-level breach databases, such as those operated by California, New York, and Texas, which may have different submission verification processes. Organizations should also verify any breach notification directly with the named company before acting on the information. For now, the public can contact the Maine attorney general’s office to inquire about “existing reports” of breaches, though the online database remains offline.
Stay Updated
Get the latest cybersecurity news delivered to your inbox.
