In what appears to be some sort of bizarre prank, a data breach report posted to the Maine state government website on June 11 appears to have been entirely fabricated (and has since been removed).
The supposed data breach prompted coverage from a number of national media sources, as it claimed to involve popular social platform VRChat and some 2.5 million of its users. The fake notice went so far as to make up an accompanying fake disclosure statement from VRChat themselves, which was attributed to a supposed VRChat employee named “Scott Caruso” who also turned out to not exist.
Fake data breach report originated from Maine Attorney General’s office
The data breach notification appeared to be legitimate as it was posted directly to the Maine Attorney General’s office website at the “maine.gov” domain. It has since been removed, but its claims remain online in the form of follow-on stories filed by assorted national news outlets and magazines in its wake.
The fake report claimed that VRChat had been breached by a cyber attack from May 10 to May 12, with the attackers siphoning off the contact information, Steam and Meta ID numbers and login histories (but not the payment information or identification cards) of just short of 2.5 million platform users. VRChat is a “virtual world” platform comparable to Second Life, and has been in business since 2014 as standalone PC software and available on Steam since 2017. The platform is estimated to have about eight million users.
Shortly after the follow-on media reports began to appear, VRChat head of community Charles Tupper contacted outlets to verify that the notice was not legitimate, there was no known sign of a data breach at the company, and the supposed employee that signed their name to it was not a real person. The fake breach notice also contained a phone number for this employee that turns out to be out of service when called.
Why fake a data breach report?
While the story essentially turned into a non-story in the end, it does present a couple of mysteries: why fake a data breach report, and how did the faker manage to get it through to the Maine government website?
At this point there is no indication that the Maine website is itself breached, or that the action is that of a rogue employee (or perhaps former employee who continues to have access). While those possibilities have not totally been ruled out either, it is more likely that the fake data breach report was simply submitted through the state’s breach portal and was accepted and posted without proper vetting.
The fake data breach report was certainly convincing, and it seems someone put a lot of effort into achieving this exact result. But there remains no word as to who it was or what their motivations were. The fraudster was clearly very familiar with the process and the usual formatting and presentation of these reports, however, adding details such as made-up forensic investigation results and instructions for potentially impacted users to ensure their accounts were secured.
Another apparently fake data breach report made its way onto the Maine website just about a week before this one, claiming that Discord had been breached and 10 million users were impacted. That one drew on details from the actual Discord breach that took place in September 2025, but mixed up key information about it and claimed it took place on a different date. That breach report also contained seemingly bogus contact information to which no one responds. The Discord report has also since been removed from the Maine website.
VRChat has since clearly stated that no one at the company filed the data breach report. These incidents might have been a simple prank by someone, or even perhaps a mishap by some sort of AI-driven automated system. If it is the same actor, there are some links between the two companies they chose to prank. Both have userbases that skew very young, the vast bulk being under the age of 24 for VRChat (which also has a very large underage cohort as it allows users as young as 13). In February of this year, VRChat issued an update that allows users to invite Discord friends directly using the site’s social features; these users coming in have the option to jump in and play without first creating a regular account for themselves. Both platforms have also made the news due to criticisms of not doing enough to protect their large underage user bases from adult content and predators, with both being seen as major prowling grounds for child grooming.
Whatever the case, it has prompted the state to take down the breach reporting portal temporarily (as of June 12) and review how submissions are handled in the interest of curbing further abuse.
