The Office of the Maine Attorney General announced it has temporarily disabled its data breach portal in response to fake submissions.
Maine is one of a small number of US states in which the Attorney General requires organizations experiencing data breaches to report the total number of individuals affected nationwide — not just the number of impacted state residents — when notifying authorities.
The web service cataloged nearly 6,000 incidents reported since mid-2020 at the time of its takedown. The entries in the database in most cases listed the total number of affected individuals and provided important information on the impact and extent of a data breach.
The fake data breach reports that triggered the shutdown targeted the online virtual world platform VRChat and the popular communication platform Discord.
VRChat published a blog post clarifying that the breach notice submitted on its behalf — claiming that 2.4 million of its users were affected — was fake.
“We want to make it perfectly clear that we have no reason to believe that our data and systems were compromised, and we did not submit any official notice about a data breach,” VRChat stated.
“Upon inspection, it was apparent that this notice was submitted by an unknown third party. It was drafted on fake VRChat letterhead using the name and contact information of a person who does not exist,” it added.
In the case of Discord, someone submitted a notice to the Maine AG claiming that a data breach had impacted 10 million of the platform’s users. The filing contained several red flags indicating it was likely fake.
Discord did disclose a data breach last year, but there is no evidence that it affected 10 million individuals. The company confirmed when the incident came to light that copies of government-issued IDs belonging to roughly 70,000 people had been compromised.
In a statement issued when it took down the data breach portal, the Maine Attorney General described the false VRChat and Discord reports as hoaxes.
“We are reviewing our procedures to make this abuse less likely in the future while preserving the public availability of such information. The public-facing database will remain offline until then,” the attorney general’s office stated.
In the meantime, organizations can still submit data breach reports to the Maine AG.
Related: University of Nottingham Confirms Breach After Hackers Leak Data
Related: 174,000 Impacted by Lansing Community College Data Breach
Related: Hackers Leak DentaQuest Information Impacting 2.6 Million
