Maine’s Data Breach Reporting Portal Under Review After Discord and VRChat Fakes Slip Through

Data breach reporting portals are meant to expedite the notification process, getting necessary information to the public more quickly and efficiently. However, recent incidents with the state of Maine’s portal have demonstrated that they can instead become a source of fast-spreading disinformation if not managed properly.

The state managed to let two fake data breach reports slip through within the space of about a week; first for Discord, then for VRChat. The Discord report had enough errant details that it was under suspicion as soon as it was posted, but the VRChat report had a much more refined approach and was picked up by several news outlets as a legitimate story before the truth came out.

Maine reviews data breach reporting process after apparent vetting failures

With no perpetrator named, it remains unclear why exactly someone would submit fake data breach reports. However, the fact that they were accepted and posted (and then generated follow-on news stories that took them as credible) has prompted a review of the portal’s procedures.

There is not yet any indication the Maine website was breached, or that a rogue employee in the government was involved. Though those are not entirely eliminated as possibilities, the more likely explanation was that the fake data breach reports were “rubberstamped” by either an automated system that wasn’t tuned quite right or a manual review that did not do enough fact-checking.

The data breach report for VRChat, which caused the most chaos, was also the second effort and the more professional-looking one. At a glance, it looked like a legitimate notification filed by the company. However, the supposed VRChat employee associated with it turned out to be a fake name with fake contact information.

About a week prior, there was another fake data breach notification that briefly made its way onto the Maine website. This one was for Discord and was more clearly fraudulent, however. It essentially used the real September 2025 Discord breach as a base, but swapped some details around and changed some numbers. This may have been a test by the same actor to see what they could slip by Maine’s systems.

The Maine data breach reporting portal was taken down on June 12 due to the VRChat notification, and remains down temporarily as the state weighs how to improve their review procedures.

What are the dangers of fake breach reports making the news?

Why go to the trouble of filing a fake data breach report? The obvious conclusion is reputational damage to the target company, and perhaps a temporary window of stock price manipulation to take advantage of. This didn’t appear to be the goal of this particular incident, though, as it declined to make the breach appear as bad as it might have (for example assuring that payment and government ID information were not involved) and was also spotted and removed very quickly. Reputational damage to whoever maintains the portal itself, perhaps perpetrated by such as a disgruntled former employee, might also be the goal.

Hacking groups have also fabricated breaches before in an attempt to extract ransoms, and something like this slipping through a trusted source’s gates might help to legitimize their claims (or just add to the general confusion) in the right circumstances. While abuse of a breach reporting portal is not one of the more severe or high-priority items in the cybersecurity world, this incident makes it clear that it is something of interest to at least pranksters if not more serious threat actors.