The Incident
The Office of the Maine Attorney General has temporarily taken its public facing data breach reporting database offline after discovering that an unidentified party submitted fabricated breach notifications targeting VRChat and Discord. The false filings, which were removed after officials confirmed their fraudulent nature with VRChat, claimed that Discord experienced an insider wrongdoing incident affecting over 10 million users, while another alleged that VRChat leaked data on approximately 2.4 million users signed by a nonexistent employee. Neither company filed those reports, and officials have stated the submissions were deliberate abuse of the state’s breach disclosure system.
Impact and Response
Maine’s breach notification law is among the strictest in the United States, requiring notification to the Attorney General’s office even if just one Maine resident is affected. This low threshold has made the portal a go to resource for security researchers, journalists, and legal professionals. However, the Attorney General’s office acknowledged that submissions flow directly from the online reporting form onto the public portal without independent verification, creating an exploitable gap. The database has been taken offline while internal procedures are reviewed to prevent future abuse. Entities required to file breach reports can still submit notifications through the online reporting service, and those needing information from existing reports can contact the Consumer Protection Division directly.
Source: Cyber Security News
