Earlier this month, VRChat and Discord suffered data breaches…wait…or did they? Some are wondering! Welcome to the Identity Theft Resource Center's Weekly Breach Breakdown for June 26, 2026. I'm Alex Achten, Vice President of Media Relations for the ITRC. Thanks to Sentilink for supporting the ITRC and this podcast. Each week, we review the latest events and trends in data security and privacy. Today, we are going to look at two data breaches that…well…weren’t.
Show Notes
Follow on LinkedIn: linkedin.com/company/idtheftcenter/
Follow on Instagram: instagram.com/idtheftcenter/
Follow on Facebook: facebook.com/IDTheftResourceCenter/
Follow on X: twitter.com/IDTheftCenter
Follow on TikTok: www.tiktok.com/@idtheftcenter_
Follow on YouTube: www.youtube.com/@IDTheftCenter
Show Transcript
Earlier this month, VRChat and Discord suffered data breaches…wait…or did they? Some are wondering! Welcome to the Identity Theft Resource Center's Weekly Breach Breakdown for June 26, 2026. I'm Alex Achten, Vice President of Media Relations for the ITRC. Thanks to Sentilink for supporting the ITRC and this podcast. Each week, we review the latest events and trends in data security and privacy. Today, we are going to look at two data breaches that…well…weren’t. Stick with me on this.
We talk a lot on this podcast about data events and breach notices. What we don’t talk about is what happens when data breaches are reported falsely. However, that is what happened in Maine, and why the title of this week’s podcast is “Ctrl+Alt+Deceit”.
Earlier this month, data breach notices were filed with the Maine Attorney General regarding alleged incidents affecting VRChat and Discord. The VRChat notice claimed that the incident impacted 2.4 million people who used the social media platform for virtual reality headsets. As for the Discord notice, it said the social and messaging platform provider was hit by an incident that affected 10 million users.
However, the companies quickly claimed they did not submit notices. It was a data breach hoax. On June 12, the Maine attorney general’s office issued the following statement in a news release:
“The Office of the Maine Attorney General has been made aware of an apparent abuse of our data breach reporting system. After conversations with VRChat, one of two affected companies, it has become clear that the reported data breaches were hoaxes submitted by an unknown entity unrelated to either company. These false reports have been removed from the database. We have no knowledge of any recent legitimate data breach reports from either VRChat or Discord.
“We are reviewing our procedures to make this abuse less likely in the future while preserving the public availability of such information. The public-facing database will remain offline until then.”
As of June 21, the public-facing database remains down. It is unclear what the perpetrators’ motive was for filing the fraudulent notifications, short of making mischief.
Here is why this data breach hoax situation matters: Maine is one of a small number of U.S. states in which the AG requires organizations experiencing data breaches to report the total number of individuals affected nationwide — not just the number of impacted state residents — when notifying authorities.
At the time of its takedown, the web service had cataloged nearly 6,000 incidents reported since mid-2020. In most cases, those entries listed the total number of affected individuals and provided critical information on the impact and extent of a breach. Losing this tool, even temporarily, is a blow to transparency.
These data breach hoaxes are the latest reminder of why the ITRC believes there should be a national data breach reporting law with one uniform reporting agency. In the meantime, for a look at the real landscape without the hoaxes, you can download our 2025 Annual Data Breach Report on our website, idtheftcenter.org, under the “Reports” tab. In 2025, the ITRC tracked a record number of data breaches. We will also release our H1 2026 Data Breach Report on July 22, so stay tuned.
We will continue to track this story and provide updates as they become available. You can subscribe to our monthly newsletter, In the Loop, by visiting our website and clicking on “Newsletter” under the “Resources” tab.
If you want to know more about how to protect your business or personal information or think you have been the victim of identity theft, fraud or a scam, you can speak with an expert ITRC advisor on the phone, via text message, chat live on the web or exchange emails during our normal business hours Monday through Friday (6 a.m.-5 p.m. PT). Just visit idtheftcenter.org to get started.
Thanks again to Sentilink for their support of the ITRC and this podcast. Please hit the like button for this episode and subscribe wherever you listen to your podcasts.
Next week, be sure to catch our sister podcast, the Fraudian Slip. ITRC CEO Eva Velasquez and Gen Security Evangelist Luis Corrons will discuss all things summer scams as we head into July. We will return in two weeks with another episode of the Weekly Breach Breakdown. I’m Alex Achten. Until then, thanks for listening.
