Maine’s public data breach reporting portal, one of the most widely used state-level disclosure resources in the United States for security researchers, journalists, and threat intelligence teams, went offline after two fabricated breach notices appeared in the registry last week. The Maine Attorney General’s office pulled the public-facing database and announced an audit after The Record reported that a fraudulent filing under the name of a nonexistent VRChat employee claimed 2.4 million customers of the virtual reality social platform were breached, and a second fake notice targeted Discord.
How Two Fake VRChat and Discord Notices Brought Down Maine’s Data Breach Portal
The VRChat filing was submitted on fabricated company letterhead. VRChat issued a statement confirming it had no reason to believe its data or systems were compromised and that it did not submit any official breach notice to Maine. The company noted the fake notice remained live for several hours despite requests for its removal. A separate fraudulent entry targeted Discord, though Maine’s office did not disclose additional details about that submission.
The portal’s vulnerability was structural. Maine’s system historically allowed companies to add notices without any prior review – a design that enabled fast, good-faith disclosure but also enabled fabricated filings with no verification step. The Maine Attorney General’s office described both submissions as “hoaxes,” confirmed they have been removed, and said the office has “no knowledge of any recent legitimate data breach reports” from either company. Members of the public can still contact the office to ask about existing reports; the self-service public database is offline until the audit completes. As CSI’s prior coverage of VRChat’s statement documented, the company was not notified before the portal published the fraudulent filing.
Why Unverified Breach Portals Create a Disinformation Risk Beyond the Faked Reports
The stakes extend past any individual false notice. State breach portals — Maine’s in particular — are primary research infrastructure for security professionals, regulators, and press who track data exposure trends across industries. A portal that can accept a fabricated filing for a major consumer platform without review does not merely create a one-off false record; it calls into question the integrity of every notice in the registry. Threat intelligence teams that ingest portal data into detection workflows face the downstream problem: what else has been filed without verification?
Maine’s portal was not designed for adversarial conditions. It was designed for rapid, no-friction corporate compliance with state breach law. Fabrication at scale was not the expected threat model, and the volume of legitimate traffic made the portal valuable precisely because it was low-friction. The audit now underway will need to resolve a genuine tension: any verification step that reduces fraudulent filings also increases friction for legitimate filers, and meaningful friction delays public disclosure of real breaches.
What the Maine Audit Should Address in Its Breach Disclosure Review
The portal’s closure exposes a broader gap in how public breach registries handle identity verification for filers. Two concrete changes would address the failure mode the VRChat and Discord notices exposed.
Implement organizational identity verification before posting – Even a lightweight check — validating that the submitting email domain matches the named company’s registered domain, or requiring a confirmation step to a corporate email address — would have prevented a filing submitted under a fabricated employee name and fabricated letterhead. Maine’s portal gave the fabricated VRChat submission the same credibility as a genuine corporate disclosure the moment it was posted publicly.
Build a rapid-removal channel for affected companies – VRChat reported that the fraudulent notice remained live for several hours after it contacted Maine’s office requesting removal. A dedicated escalation path for named companies to challenge a filing — with a target resolution window measured in minutes, not hours — would limit the exposure window for disinformation and reduce reputational harm to companies who have no breach to disclose. Maine’s audit offers the opportunity to establish this protocol before the portal returns online and the public data breach notification ecosystem regains the trusted, low-friction resource researchers have relied on.
Join our LinkedIn group Information Security Community!
