Maine breach – A fraudulent data breach notice was submitted to Maine’s official breach portal and posted publicly before it could be verified. VRChat says the filing is fake, uses a made-up employee identity, and falsely claims millions were exposed—while Maine’s Attorney G
For a brief window, VRChat’s name sat inside Maine’s official breach portal like a real incident—complete with details that looked, at least at first glance, like they came from a company’s legal and security playbook. Then the company checked the filing and pushed back.
The most recent entry in the state Attorney General’s breach disclosure database allegedly describes a large-scale exposure of more than 2.4 million users. It claims hackers gained access to VRChat’s cloud environment and that the incident happened between May 10 and 12. with follow-on steps and instructions prepared for affected people. But VRChat says that notice isn’t just wrong—it’s fraudulent.
In a statement to BleepingComputer. Charles Tupper. Head of Community at VRChat. said the company did not submit any notice to Maine’s portal. “VRChat did not submit this Notice of Data Incident, and the employee/email cited does not exist. We have no reason to believe that our data or systems have been compromised.” Tupper added that VRChat is “in the process of contacting the Maine Attorney General’s office to have this removed.”.
Graham Gaylor, the CEO and co-founder of VRChat, confirmed the statement received by BleepingComputer.
The disputed entry points to a fictitious employee identity and lays out a list of data it claims was exposed. That list includes VRChat username; the email address associated with a VRChat account; VRChat+ subscription status; login history including device. hardware identifiers. and IP addresses; and a Steam or Meta user ID linked to a VRChat account.
It also includes language designed to look authoritative—drafted as if it were a letter to consumers about unauthorized access. the results of a forensic investigation. actions taken after detecting a hack. and steps meant to improve security. along with what users should do to protect their accounts.
But Maine’s portal, by design, does not guarantee that any filing is legitimate before it appears publicly.
The Maine Office of the Attorney General told BleepingComputer that “the notice will be coming down” and said it was “not aware of another example of intentional misrepresentation of the notice filings.” When asked how such notices can appear on the portal. the office also said it has no independent knowledge of breaches and that anyone can submit a breach notification form that is added to the site without verification. “We don’t have any independent knowledge of the breaches. the submitting entity fills out the information and it goes directly onto the site. We will review the one you’ve flagged, thank you,” the office said.
That matters because the VRChat incident isn’t the only suspicious entry.
Earlier this week. the Maine Attorney General’s Office listed another data breach notification allegedly from Discord. claiming 10 million people were impacted. The Attorney General’s office confirmed to BleepingComputer that the portal can accept submissions without verification. Unlike most formal notices. the Discord entry did not include a company notification letter to consumers explaining what happened and how people can protect themselves.
That filing also contained details that did not hold up. It started with the name of the person submitting the notice, a Gmail contact, and a placeholder phone number. It claimed a breach occurred on July 9. 2024. was discovered on August 8. 2025. and carried an inconsistent consumer notification date of January 1st. 2000. The story described by the false filing clearly conflicts with what Discord reported about its own real-world incident.
Although a data breach impacted Discord in 2025, it occurred on September 20 and was linked to a compromise of the company’s Zendesk support desk system. At the time, hackers told BleepingComputer they stole data of 5.5 million users from 8.4 million tickets.
The sequence across these filings is uncomfortable in a very specific way: the moment a notice lands on an official-looking portal. it can spread as though it were verified—before any company has had a chance to check it. The VRChat entry and the earlier Discord submission show how scammers can use the structure of legitimate reporting to trigger reputational damage and panic. even when no breach exists behind the paperwork.
A portal that accepts submissions without independent verification doesn’t just create administrative inconvenience. It creates a public stage where misinformation can look credible long enough to do real harm—before verification can catch up.
Maine breach portal VRChat fake data breach Maine Attorney General cybersecurity misinformation data breach notifications Discord fake breach Zendesk compromise Unity social VR platform
So people just made up a breach notice and posted it?? Wild.
I don’t even trust those portals. Sounds like one fake filing and now everybody thinks it’s real. 2.4 million users thrown around like it’s nothing.
Wait, VRChat says it didn’t happen but the portal had dates May 10-12… so like did they delete something later or is it just totally made up? Also what is an “official playbook” wording doing in there, seems like they’re admitting something.
This is why Maine can’t have nice things. Next they’ll blame Meta or Steam or somebody else, but really whoever filed it probably guessed usernames and IPs from somewhere. Funny part is the employee name ‘doesn’t exist’… like who even checks that fast? I’d be paranoid anyway.