In an unusual misinformation campaign, fraudulent data breach disclosures were submitted to Maine’s official breach portal and publicly posted before their legitimacy could be verified, prompting companies to deny the claims.
A notice allegedly filed by multiplayer social virtual reality platform VRChat is the most recent entry in the state Attorney General’s breach disclosure database.
However, a company representative told BleepingComputer that the breach notification is fake and has been filed using the name of a fictitious employee.
VRChat is a multiplayer social virtual reality platform built on Unity and originally released for Windows and Oculus Rift in 2014, where users interact as customizable avatars in user-created virtual worlds.
The fake VRChat data breach entry notes that personal data of more than 2.4 million users was exposed to hackers after they gained access to the company’s cloud environment.
Whoever submitted the false information made the effort to draft a notification letter for affected individuals, which claimed that the hacking incident occurred between May 10 and 12 and impacted the following types of data:
- VRChat username
- Email address associated with a VRChat account
- VRChat+ subscription status
- Login history, including device, hardware identifiers, and IP addresses
- Steam or Meta user ID linked to a VRChat account
At a cursory look, the false letter appears legitimate, filled with details about unauthorized access, results of a forensic investigation, actions taken after detecting the hack, claims that steps have been taken to increase security, and what users should do to increase protection for their account.
Charles Tupper, Head of Community at VRChat, told BleepingComputer that the data breach notification in the database of the Maine Office of the Attorney General is fraudulent:
“VRChat did not submit this Notice of Data Incident, and the employee/email cited does not exist. We have no reason to believe that our data or systems have been compromised.”
Tupper added that the company is “in the process of contacting the Maine Attorney General’s office to have this removed.”
Graham Gaylor, the CEO and co-founder of VRChat, also confirmed the statement BleepingComputer received from Tupper.
The Maine Office of the Attorney General also responded to our request for comments and said that “the notice will be coming down” and that they were “not aware of another example of intentional misrepresentation of the notice filings.”
Earlier this week, the Maine Attorney General’s Office listed another suspicious data breach notification allegedly from Discord, which claimed that 10 million people were impacted by a data breach.
Maine’s Attorney General Office confirmed to BleepingComputer that anyone can submit a breach notification form and have it added to the portal without verification.
“We don’t have any independent knowledge of the breaches, the submitting entity fills out the information and it goes directly onto the site. We will review the one you’ve flagged, thank you,” Maine Attorney General’s Office told BleepingComputer when asked about the validity of the Discord data breach submission.
Unlike most formal data breach notifications, the Discord entry did not include a notification letter from the company informing consumers about the breach, disclosing what happened and how those impacted can protect themselves.
Apart from the company address, the Discord entry included vague and unreliable information, starting with the name of the person submitting the notice, a Gmail contact, and a placeholder phone number.
Furthermore, the details about the breach occurring on July 9, 2024, and being discovered on August 8, 2025, along with an inconsistent consumer notification date of January 1st, 2000, are clear indications of a false submission.
Although a data breach did impact Discord in 2025, it occurred on September 20 and was due to a compromise of the company’s Zendesk support desk system.
At the time, the hackers told BleepingComputer that they had stolen data of 5.5 million users from 8.4 million tickets.
Despite being listed on an official portal, the validity of data disclosures is not to be taken for granted as inadequate vetting makes it easy for scammers to spread misinformation, potentially causing reputational harm and panic before companies even become aware that a false filing has been posted.
These fake filings highlight the need for journalists and consumers to independently verify breach notifications with affected companies before treating entries on public notification portals as legitimate incidents.
Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.
