The avatar chat platform says it never filed a notice claiming 2.4 million users were exposed, and the disputed filing is still live on the state's breach portal.
VRChat, the San Francisco-based avatar chat platform, said on Thursday that a Notice of Data Incident posted to the Maine Attorney General's breach portal in its name, claiming the personal data of roughly 2.4 million users had been exposed, is a fabrication the company never submitted. VRChat is asking the state to take the filing down, according to The Register's reporting.
"VRChat did not submit this Notice of Data Incident, and the employee/email cited does not exist. We have no reason to believe that our data or systems have been compromised. We are in the process of contacting the Maine Attorney General's office to have this removed," VRChat's head of community, Charles Tupper, told The Register on the record.
The Register's original story ran earlier in the day under the headline "2.4M+ VRChat users' data accessed following cloud breach," based on a filing that appeared on the Maine AG's data breach portal. After readers flagged concerns, the outlet followed up with VRChat and, where it could, verified that the filing's authorship did not check out.
Three concrete signals back up the forgery framing. The phone number on the filing, (628) 887-5729, was not in service. An email sent to scaruso@vrchat.com, the address given for the named "Director, Legal," received no reply. And a name search turned up no public record of a "Scott Caruso" affiliated with VRChat, per The Register's reporting.
What the filing on the Maine AG portal did say, framed as the filing's own claims rather than established fact: VRChat, Inc., at 548 Market St #93053, San Francisco, CA 94104, with "Scott Caruso" listed as the submitting "Director, Legal," reported 2,436,782 persons affected, including 8,607 Maine residents. The breach window was listed as 05/10/2026 through 05/12/2026, the cause as "External system breach (hacking)," and the consumer notification date as 06/12/2026. The portal did not list any identity-theft or credit-monitoring services offered to affected users. The notice was still live on the portal as of The Register's Thursday update; VRChat told the outlet it had contacted the Maine AG as of that date, and the Maine AG's office has not publicly confirmed any action on that request.
The Register has issued an editorial correction on the original piece, updating the headline and adding the company denial and its own verification findings. The original story body remains readable below the update, so the disputed "2.4M users" framing is still in circulation alongside the correction.
The substantive contents the fake notice described matter to anyone who saw the first version. According to what the filing claimed, the exposed data included usernames, email addresses, IP addresses, and device IDs collected between May 10 and May 12. None of that has been confirmed by VRChat, by an independent security researcher, or by a forensic firm, and the company has offered no evidence of an intrusion. The Register is asking readers with information about who submitted the notice to contact its newsroom through standard tip channels.
The durability of this story is not really about VRChat, which has described its user base in broad terms without publishing an exact count. The pointed question is how a fabricated filing, citing a non-existent employee, a disconnected phone number, and a non-replying email, entered a state attorney general's breach portal and propagated through a major trade outlet before being caught.
State AG breach portals are designed to be a public-facing consumer protection surface. The Register noted that Maine's portal, like its peers in California and Vermont, accepts submissions from companies or their representatives and posts the resulting notice without a disclosed pre-publication verification step. The Register did not detail the Maine AG's intake process, and the office has not commented publicly on the disputed filing beyond declining to respond to requests for comment. The notice has not been removed as of the outlet's update.
For anyone who saw the first version of the VRChat breach story, the corrective lives in the Register's updated piece. For companies that watch these portals for incident telemetry, the open question is what kind of check, if any, sits between a submitted form and a posted notice. For the press, the open question is whether "the company told the AG" is, on its own, a publishable fact. The Maine AG's office has not yet responded to requests for comment on the disputed filing.