- 959
- 254
Authorities in the US state of Maine were forced to temporarily shut down a public portal used for data breach notifications. Unknown attackers posted a series of fake messages there about major hacks and data leaks affecting millions of users, including those related to VRChat and Discord.
Users and media outlets became aware of the breach after a VRChat user data breach notification ( archived version ) appeared in the state Attorney General's Office's database. The notification claimed that the attackers had accessed the company's cloud infrastructure between May 10 and 12, 2026, and stolen the information of 2,436,782 people.
The fake notification claimed that the attackers had stolen VRChat usernames, email addresses associated with the accounts, VRChat+ subscription information, login history data, IP addresses, device IDs, as well as Steam and Meta IDs (the company's activities are considered extremist and are banned in Russia).
The creators of the fake message didn't just post a short notice. They prepared a full-fledged letter for affected users, describing the alleged investigation, the protective measures taken, and providing recommendations for account security.
However, VRChat representatives soon claimed that no hack had occurred. Head of Community, Charles Tupper, told the media that the notice was a fake, and the employee mentioned in the documents did not exist.
According to the platform's representatives, there is no reason to believe that the company's systems or user data were compromised. VRChat co-founder and CEO, Graham Gaylor, also confirmed this statement.
Meanwhile, researchers discovered another suspicious notice on a Maine portal, purporting to be from Discord ( archived version ). This message claimed that the data of 10 million people had been leaked. The document also contained numerous obvious inconsistencies, including a Gmail contact address, a fake phone number, and incorrect dates. For example, users were supposedly supposed to be notified of an incident on January 1, 2000.
After journalists contacted the state Attorney General's office, it was discovered that the system barely vets incoming reports. Any organization can submit a notification, after which it automatically appears in a public database.
Late last week, state authorities officially acknowledged that unknown individuals had abused the notification system. In a statement, authorities stated that both data breach reports were fake, and the people who posted them were not affiliated with either VRChat or Discord. The posts have since been deleted.
Access to the public database is currently temporarily closed. The Prosecutor General's Office stated that it is reviewing its notification procedures to prevent similar incidents in the future. Companies can still report actual incidents and data breaches, but copies of notifications are only available upon request.
Users and media outlets became aware of the breach after a VRChat user data breach notification ( archived version ) appeared in the state Attorney General's Office's database. The notification claimed that the attackers had accessed the company's cloud infrastructure between May 10 and 12, 2026, and stolen the information of 2,436,782 people.
The fake notification claimed that the attackers had stolen VRChat usernames, email addresses associated with the accounts, VRChat+ subscription information, login history data, IP addresses, device IDs, as well as Steam and Meta IDs (the company's activities are considered extremist and are banned in Russia).
The creators of the fake message didn't just post a short notice. They prepared a full-fledged letter for affected users, describing the alleged investigation, the protective measures taken, and providing recommendations for account security.
However, VRChat representatives soon claimed that no hack had occurred. Head of Community, Charles Tupper, told the media that the notice was a fake, and the employee mentioned in the documents did not exist.
According to the platform's representatives, there is no reason to believe that the company's systems or user data were compromised. VRChat co-founder and CEO, Graham Gaylor, also confirmed this statement.
Meanwhile, researchers discovered another suspicious notice on a Maine portal, purporting to be from Discord ( archived version ). This message claimed that the data of 10 million people had been leaked. The document also contained numerous obvious inconsistencies, including a Gmail contact address, a fake phone number, and incorrect dates. For example, users were supposedly supposed to be notified of an incident on January 1, 2000.
After journalists contacted the state Attorney General's office, it was discovered that the system barely vets incoming reports. Any organization can submit a notification, after which it automatically appears in a public database.
Late last week, state authorities officially acknowledged that unknown individuals had abused the notification system. In a statement, authorities stated that both data breach reports were fake, and the people who posted them were not affiliated with either VRChat or Discord. The posts have since been deleted.
Access to the public database is currently temporarily closed. The Prosecutor General's Office stated that it is reviewing its notification procedures to prevent similar incidents in the future. Companies can still report actual incidents and data breaches, but copies of notifications are only available upon request.