[SINGLE-SOURCE] Maine's breach-notification portal abused for fraudulent filings against VRChat and Discord — both companies deny any breach

Maine's Attorney-General breach-notification portal published fraudulent data-breach filings — one claiming a 2.4-million-user VRChat cloud compromise, another a 10-million-user Discord breach — because submissions are published without filer-identity verification (BleepingComputer, 2026-06-11). VRChat stated: "VRChat did not submit this Notice of Data Incident, and the employee/email cited does not exist. We have no reason to believe that our data or systems have been compromised." Discord likewise denied filing. The Maine AG's office acknowledged the fraudulent notices and moved to remove them. [SINGLE-SOURCE — BleepingComputer.]

Why it matters to us: CTI teams routinely treat state breach portals as authoritative collection sources — this incident shows they can be poisoned. Require victim confirmation or regulator follow-up before acting on (or republishing) portal-only breach claims; the same trust-exploitation pattern would work against any unauthenticated notification channel.