An unknown filer named Discord and VRChat in reports that went straight to the public database with no state side check, forcing Maine's attorney general to disable the site.
Maine's Office of the Attorney General said Friday, June 12, 2026 that it has taken the state's public data breach notification portal offline after fraudulent breach disclosures naming Discord and VRChat were submitted through the reporting system, calling the filings "hoaxes". The public database is offline, the intake form remains open, and copies of any disclosure are available only by contacting the AG's office directly, according to BleepingComputer's reporting on the state's response (BleepingComputer).
The move follows a June 11, 2026 BleepingComputer scoop about the original fake submissions, which used names of fictitious employees of the two companies. VRChat told BleepingComputer on June 11 that the filing against it was fraudulent and that the employee named in the disclosure did not exist. Discord was named in a parallel submission. Maine's previous workflow auto-published submitted disclosures to the public site with no state-side check, which is how the fake filings reached a public database in the first place.
That is the practical state of the system: a transparency tool designed to let consumers, journalists, and security researchers see what companies have told the state about a breach has been reduced, for the moment, to a private channel. It is a small procedural change with an outsized information consequence, because Maine's public breach database was one of the few places where consumer-impact incidents surface in a structured, attributable way. Threat-intel firms, journalists, and outside researchers used the old portal to monitor which companies had reported a breach, how many residents were affected, and the rough shape of the incident. Without the public layer, that workflow is paused while the state decides what a verified entry looks like.
The structural problem is not that Maine collected breach reports. The problem is that the previous workflow trusted whatever was submitted, so the database inherited the credibility of a state website while inheriting none of the verification that credibility is supposed to require. An unknown filer was able to put two real companies' names on records that read, to a casual reader, like official findings. The fake entries were not subtle. The named employees did not exist, the companies had not been breached, and the disclosures were posted anyway.
A trustworthy version of the same tool needs a few non-negotiable features. Submissions claiming to come from a brand or vendor should be tied to a verified contact on the company's own domain. Filings from a third party, like a security researcher, a journalist, or outside counsel, should be held in a non-public queue until the named company confirms or rebuts. The state should publish a clearly labeled provisional status for entries under review, so a public record still serves the transparency goal without pretending that any unverified form submission is a confirmed incident. The takedown procedure for hoax filings also has to be fast and visible, so the public record gets cleaned up before it metastasizes into a news cycle.
Maine's response is the right first move: pull the public surface, keep the intake, and say openly that the design is being reviewed. The harder work is the rebuild. Public breach notification is one of the few transparency levers state law gives consumers, and the alternative to a working portal is reporters chasing every individual letter to the AG. The fix has to keep the door open for legitimate disclosure while making it materially harder for an anonymous filer to put someone else's name on a fake record.