For years, one of the quietly useful artifacts of American privacy law has been the Maine Attorney General’s data breach notification database. It is not glamorous. It is a searchable list of companies that have told the state they lost control of someone’s personal information, complete with the notification letters they sent to affected residents. Journalists cite it. Security researchers cross-reference it. When a company tries to soft-pedal an incident, the Maine filing is often the closest thing to a primary source. Its authority came from a simple premise: this is an official government record, so what it says can be believed.

This month that premise broke. On June 12, 2026, the Maine AG’s office took the public portal offline after discovering that someone had used the state’s own reporting form to publish fraudulent breach disclosures, including filings that falsely named VRChat and Discord. Both were confirmed hoaxes. The mechanism of the attack is the part worth sitting with, because it is almost embarrassingly simple.

How a Trusted Record Got Poisoned

Maine’s submission process, as the AG’s office acknowledged after the fact, accepts breach notifications and publishes them to the public portal without independent verification. Anyone can fill out the form, name any company, claim any number of victims, and watch the entry appear on an authoritative .gov page. There is no check that the submitter actually works for the company named, no confirmation that the incident occurred, no gate between “someone typed this” and “the state of Maine published this.”

So someone did exactly what that design invites. One filing claimed VRChat had exposed data on roughly 2.4 million users in mid-May, complete with a professionally drafted notification letter listing usernames, emails, login history, and account IDs. It looked legitimate. It was not. VRChat’s head of community flatly stated the company never submitted it and that the employee and email address cited in the filing do not exist. A separate entry alleged a breach affecting 10 million Discord users, and this one wore its forgery more openly: a Gmail contact address where a corporate one belonged, a placeholder phone number, and dates that made no sense, including a consumer-notification date listed as January 1, 2000. The Discord case is especially instructive, because Discord did suffer a real breach in 2025 through a compromised third-party support vendor. The fake filing borrowed the plausibility of a true event and inflated it into fiction.

The Integrity Problem at the Heart of Open Disclosure

It is tempting to file this under “government IT failure” and move on, but that misreads the lesson. The portal worked exactly as designed. The design was the problem, and the design reflects a genuine tension that privacy advocates do not get to wish away.

Mandatory breach notification exists because companies have every incentive to stay quiet. Left to their own judgment, organizations downplay incidents, delay disclosure, and bury the bad news in vague language about “an issue that may have affected certain accounts.” Public, low-friction reporting is the counterweight. The whole point of Maine’s portal is that it is easy to file and immediately visible, so that disclosure happens fast and the public record cannot be quietly edited. Friction is the enemy of transparency. An honest company should be able to notify the state without jumping through identity-verification hoops that slow down the very disclosure the law demands.

But the same frictionlessness that serves transparency is what makes the system forgeable. An unauthenticated submission channel cannot tell an honest disclosure from a malicious one. And the more trusted the record becomes, the more valuable it is to corrupt. The Maine database was a high-value target precisely because people believed it. A fake breach notice scrawled on a random blog convinces no one; the same lie laundered through a state attorney general’s website can move markets, trigger needless password resets, damage a company’s reputation, and waste the time of every reporter who treats the source as reliable. Trust is the asset, and trust is exactly what the attacker spent.

What This Should and Should Not Teach Us

The wrong conclusion is that public breach databases are a mistake. They are not. The transparency they provide is real and hard-won, and the answer to abuse is not to retreat into the opacity that breach-notification laws were written to end. If the takeaway becomes “let companies self-report privately and trust them to be honest,” the trolls will have won something far larger than two fake filings.

The right conclusion is narrower and more demanding. A public record that the world treats as authoritative has to earn that authority continuously, which means it needs integrity controls proportional to its credibility. That can be lightweight: confirming submissions against a verified company contact, flagging entries as “unverified” until reviewed, rate-limiting and logging submissions, or simply adding a human pause before a claim of millions of victims hits the live site. None of these reintroduce the secrecy that breach laws were designed to break. They just close the gap between “anyone can say this” and “the state of Maine vouches for this.”

There is a broader signal here, too. As more privacy enforcement shifts toward open, queryable, public-facing infrastructure, those systems inherit the threat model of any public platform. They will be spammed, gamed, and weaponized for disinformation, because anything trusted enough to be worth reading is trusted enough to be worth faking. Maine’s portal will presumably come back, hopefully a little harder to abuse. The instinct behind it, that the public deserves to see who lost their data, remains exactly right. The lesson is only that openness without integrity is not transparency. It is just an unlocked door, and someone will always walk through it.