VRChat is the latest and best documented case in an unusual misinformation campaign targeting state mandated disclosure infrastructure, and the takedown process cannot keep up with the spread.
Maine's official Attorney General breach disclosure portal, a state-mandated public record designed to protect consumers, is publishing fraudulent breach notices before anyone verifies them. The most recent and best-documented case involves VRChat, whose name appeared in a filing that claimed personal data of more than 2.4 million users had been exposed to attackers through the company's cloud environment (BleepingComputer). VRChat never had a breach. The cited employee and email do not exist.
The asymmetry is the story. A government-posted filing becomes a searchable public record the moment it lands on the portal, while correction runs through a separate, slower channel: the named company has to contact the Maine AG, request removal, and wait. In the interval, search engines index the page, screen-scraped breach-tracking services pull the data, journalists and consumers act on the notice, and the false claim travels further than the denial.
The VRChat filing, as reported by BleepingComputer's Bill Toulas, lists plausible data categories and a specific headcount. That surface plausibility is what makes the abuse pattern work. A reader who skims a Maine AG page has no visible signal that a third party filed the notice on behalf of a company that never had an incident, and no way to know the cited contact is fictitious. The company is left to disprove a government record on its own clock, and the portal, in the meantime, amplifies the false claim.
VRChat's on-record denial, delivered to BleepingComputer by a company representative, goes further than a generic no comment. The representative said the breach notification is fake, was filed under the name of an employee who does not exist at the company, and that VRChat suspects no compromise of its systems. The company has contacted the Maine AG to have the entry removed. The full statement, including the absence of any suspected compromise, appears in BleepingComputer's reporting.
The pattern is not isolated. BleepingComputer characterizes the activity as an unusual misinformation campaign targeting state-level breach notification infrastructure, and the outlet's reporting notes prior or related fake filings have appeared on the same portal. As of publication, Maine's AG office had not provided on-record comment on the broader pattern, and the underlying portal design has not changed: a public notice can land, be indexed, and circulate before any gatekeeper acts.
The downstream consequences are concrete. A search for "VRChat breach" today returns a state AG page as a top result. A consumer who uses the service and reads the notice may freeze the account, change credentials, file a complaint, or close the account entirely. A small company that gets a similar filing can absorb a credibility hit it did nothing to earn. A security journalist who sees the portal entry but misses the denial may file a wire story before the takedown completes. The correction, when it comes, rarely reaches the same audience.
The structural fix is procedural, and several options sit within reach of any state portal that handles mandatory disclosures. A filer attestation that ties the submission to a verified contact at the named company would shift the burden off the victim and onto the actor. Optional third-party sign-off, such as a notarized submission or a registered-agent confirmation, would raise the cost of abuse. A named takedown SLA, with a published clock and a public correction appended in place rather than silently removed, would let the record self-correct. In-place correction matters: a removed page still leaves the search index and the cache.
Other state breach portals should look at Maine's experience and act before the same pattern lands on their pages. Until the Maine AG office comments on whether pre-publication verification, attestation, or a hard takedown clock is on the table, the portal will keep publishing whatever it is handed, and the burden of disproving a government notice will keep falling on the company that never had a breach in the first place.