Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

Jun 12, 2026 · 7 min read

Fake Breach Notices Planted on Maine's Official Portal

Fraudulent filings naming Discord and VRChat went live on Maine's breach notification portal in June 2026 — no verification required, and phishing crews now have an official looking source to cite.

On June 8, 2026, someone filed a data breach notification with the Maine Attorney General's office claiming that "insider wrongdoing" at Discord had exposed more than 10 million people. The notice went live on the state's public breach portal almost immediately. Discord never filed it. Days earlier, a separate filing claimed VRChat had leaked data on 2.4 million users — signed by an employee who does not exist. Both notices were fabrications, published on an official government website that security teams, journalists, and class action lawyers treat as ground truth, BleepingComputer reported.

Key Takeaways

  • Maine's Attorney General breach notification portal published fake disclosures naming Discord (10 million people allegedly affected) and VRChat (2.4 million users) in June 2026, according to BleepingComputer.
  • Maine's AG office confirmed that anyone can submit a breach notification form and have it posted to the public portal without independent verification.
  • The fake VRChat filing used a fictitious employee name, and the Discord filing used a personal Gmail address, a placeholder phone number, and a notification date of January 1, 2000.
  • Fraudulent entries on official portals give phishing crews a citable "official source" for fake "your data was breached" emails, so any breach notice you receive should be verified against the company's own website before you act on it.

What Happened on Maine's Breach Portal?

Attackers submitted fraudulent data breach disclosures through Maine's official reporting form, and the state published them on its public portal as if they were genuine corporate filings. The fake VRChat notice claimed a breach between May 10 and 12 had exposed usernames, email addresses, login history, and linked account IDs for 2.4 million users. VRChat's Head of Community, Charles Tupper, told BleepingComputer the filing was fabricated outright: "VRChat did not submit this Notice of Data Incident, and the employee/email cited does not exist."

The Discord entry was sloppier but arguably more dangerous given the company's size. It listed Discord Inc. of San Francisco as the breached entity, described the cause as insider wrongdoing, and claimed more than 10 million affected individuals. Look closer and the seams show. The submitter identified as a "Data Subject / Reporter" rather than a company representative, used a personal Gmail address instead of a corporate domain, entered a placeholder phone number, and dated the consumer notification January 1, 2000. Discord's legitimate past filings in Maine were submitted by the law firm BakerHostetler — not an anonymous Gmail account.

How Did the Fakes Get Through?

They got through because nothing checks them. Maine's AG office confirmed to BleepingComputer that submissions flow directly from the online reporting form onto the public site: "We don't have any independent knowledge of the breaches, the submitting entity fills out the information and it goes directly onto the site." The office says false notices will be removed once identified — but removal happens after publication, after screenshots, and after the entry has been scraped into breach tracking databases.

That design made sense when the portal launched. Maine's notification law, Title 10, §1348, compels companies to report breaches affecting state residents, and a frictionless form lowers the compliance burden. The threat model assumed companies reluctantly disclosing real breaches. It never anticipated outsiders eagerly disclosing fake ones.

Government building facade reflected in cracked glass with scattered official documents, representing fake breach disclosures on an official portal

Why Do State Breach Portals Matter So Much?

Because almost everyone downstream treats them as verified fact. Maine's portal is one of the few state databases that publishes every filing publicly, with records going back to 2010. Journalists scrape it for breach scoops. Threat intel teams feed it into monitoring pipelines. Plaintiffs' firms watch it for class action leads. Breach aggregators ingest it automatically and republish entries within hours.

A fake filing therefore doesn't stay on one government webpage. It propagates into news alerts, vendor risk dashboards, and litigation databases under the implicit stamp of a state Attorney General. A well timed fraudulent disclosure naming a public company could move its stock before anyone issues a denial. The Identity Theft Resource Center counted 3,322 data compromises in the US in 2025 — an all time record. In that flood, a single fake entry on an official portal reads as entirely plausible.

The Discord fake illustrates exactly why. Discord suffered a genuine third party breach in late 2025, when attackers compromised an outsourced support agent's account and stole data on 5.5 million users, including roughly 70,000 government ID photos, NBC News reported. Anyone who half remembers that real incident will find a new "Discord breach, 10 million affected" filing easy to believe. Attackers picked a target with residual breach plausibility — and that pattern is repeatable against any company that has ever been breached, which is most of them.

Why Email Users Should Care

The most likely payoff for planting a fake disclosure lands in your inbox. "Your data has been breached" emails are a classic phishing pretext, and their weakness has always been verifiability — a suspicious recipient could search for the breach and find nothing. A fraudulent filing on an official state portal removes that weakness. The phishing email can now link to a genuine maine.gov page that appears to confirm the breach, then direct you to "secure your account" through an attacker controlled login page or "claim compensation" by submitting your identity documents.

This flips the usual security advice on its head. We tell people to verify alarming emails against official sources. Here, the official source itself has been poisoned. The same mechanics power the fake cloud storage payment scams flooding inboxes — manufactured urgency plus a credible looking pretext — but a state government citation gives this variant far more weight.

Real breach notifications also tend to arrive when victims are anxious and primed to click. After Discord's actual 2025 breach, affected users received legitimate notification emails. A scammer who plants a fake follow up filing can ride that anxiety with a second wave of "additional data was exposed, act now" messages that even cautious users may trust.

How Can You Verify a Breach Notice Is Real?

Treat every emailed breach notice as unverified until the company's own website confirms it. Specific steps:

  • Go to the company directly. Type the company's domain into your browser yourself. Real breaches of any size produce a security advisory, blog post, or support page on the company's own site.
  • Check the AG portal yourself — skeptically. Navigate to the Maine AG breach database directly rather than clicking a link in the email. Then scrutinize the filing: a corporate breach notice submitted from a personal Gmail address, with placeholder contact details or impossible dates, is a red flag even on an official page.
  • Never click links or call numbers in the notice itself. Legitimate breach notifications never need your password, full Social Security number, or payment details to "verify" you.
  • Look for the law firm. Large companies almost always file through outside counsel. A filing that breaks a company's established pattern deserves suspicion.
  • Wait for corroboration. Real 10 million record breaches generate coverage from multiple independent outlets within hours, not just a portal entry.

What This Means for Compliance and Security Teams

Compliance teams should now assume that breach portals can contain adversarial data — about their own company. Add your organization's name to monitoring across the public state portals (Maine, California, Washington, and others publish filings), so a fraudulent disclosure naming you triggers an alert before a reporter's email does. Prepare a denial playbook: who confirms whether a filing is genuine, who contacts the AG's office for removal, and who handles press queries, all within hours.

There's a disclosure trust paradox here worth sitting with. Regulators have spent years pushing companies toward faster, more public breach notification, precisely because firms historically delayed — like the university cancer center that waited six months to tell 1.2 million people their data was stolen. Public portals were the accountability fix. Now the same openness that keeps companies honest gives attackers a publishing platform with a government domain. Expect states to respond with submitter verification — domain matched email requirements at minimum — and expect an awkward interim period where "it's on the AG's portal" no longer settles whether a breach actually happened.

Until then, the burden falls where it usually does. On the person reading the breach notice and deciding whether to believe it.

Stop Email Tracking in Gmail

Spy pixels track when you open emails, where you are, and what device you use. Gblock blocks them automatically.

Try Gblock Free for 30 Days

No credit card required. Works with Chrome, Edge, Brave, and Arc.