In an unusual misinformation campaign, a fake data breach disclosure was posted on Maine’s official data breach portal and posted publicly before its validity was verified, prompting the companies to deny the claims.
The alleged notice posted by the multiplayer virtual reality platform VRChat is the latest in a database that discloses violations of federal law.
However, a company representative told BleepingComputer that the breach notice was fake and was filed using a fictitious employee’s name.
VRChat is a multiplayer virtual reality platform built on Unity and originally released for Windows and Oculus Rift in 2014, where users interact as customized avatars in user-created virtual worlds.
VRChat’s fake data breach coverage notes that the personal data of more than 2.4 million users was exposed to hackers after they gained access to the company’s cloud storage.
Whoever posted the false information attempted to write a victim notification letter, stating that the hack occurred between May 10 and 12 and affected the following types of data:
- VRChat username
- The email address associated with the VRChat account
- VRChat+ subscription status
- Logging history, including device, hardware identifiers, and IP addresses
- The Steam or Meta user ID linked to the VRChat account
At first glance, the fake letter looks legitimate, full of information about unauthorized access, the results of forensic investigations, steps taken after discovering the hack, claims that measures have been taken to increase security, and what users should do to increase the security of their account.
Charles Tupper, Head of Community at VRChat, told BleepingComputer that the data breach notice on the Maine Office of the Attorney General’s website is a hoax:
“VRChat did not send this Data Incident Notification, and the employee/email cited does not exist. We have no reason to believe that our data or systems have been compromised.”
Tupper added that the company is “in the process of contacting the Maine Attorney General’s office to have this removed.”
Graham Gaylor, CEO and founder of VRChat, also confirmed the statement BleepingComputer obtained from Tupper.
The Maine Attorney General’s Office also responded to our request for comment and said that “the notice will be taken down” and that they were “not aware of any other example of the intentional misrepresentation of the notices.”
Earlier this week, the Maine Attorney General’s Office issued another notice of a suspected data breach allegedly from Discord, which said 10 million people were affected by the data breach.
The Maine Attorney General’s Office confirmed to BleepingComputer that anyone can submit a breach notification form and be added to the portal without verification.
“We have no independent knowledge of the breach, the submitting organization fills out the information and goes directly to the site. We will review the flagged, thank you,” the Maine Attorney General’s Office told BleepingComputer when asked about the legality of the Discord data breach submission.
Unlike most official data breach notices, the Discord entry did not include a notice letter from the company informing consumers of the breach, disclosing what happened and how those affected can protect themselves.
Besides the company address, Discord entries include vague and unreliable information, starting with the name of the person submitting the notice, their Gmail contact, and the representative’s phone number.
In addition, the information about the breach occurring on July 9, 2024, and the discovery on August 8, 2025, and the inconsistent consumer notification date of January 1, 2000, are clear indications of false postings.
Although the data breach affected Discord in 2025, it happened on September 20 and was due to an outage of the company’s Zendesk support desk system.
Meanwhile, the hackers told BleepingComputer that they stole the data of 5.5 million users from 8.4 million tickets.
Despite being listed on an official portal, the legality of data disclosure should not be taken for granted as insufficient checks make it easy for fraudsters to spread false information, which may cause reputational damage and panic before companies even realize that a false file has been sent.
These fake files highlight the need for journalists and consumers to independently verify breach notifications with the companies involved before treating those posted on public notification portals as legitimate incidents.
Security teams penetrate 54% of successful attacks and monitor 14%. Some walk around the area without being seen.
The Picus white paper shows how breaches and attack simulations evaluate your SIEM and EDR rules so that threats stop slipping through detection.
Get a white paper
