← All articles

Attackers post fake breach notices to Maine's public disclosure portal

In an unusual misinformation campaign, fraudulent data-breach notices were submitted to Maine's official Attorney General breach portal and published before anyone verified them, forcing named companies to issue denials. One filing falsely claimed a Discord breach affecting more than 10 million people, submitted not by a company representative but by an individual using a personal Gmail address, a placeholder phone number, and impossible dates. Because the portal is public and a listing does not mean a breach is confirmed, the fakes can spread fear, damage reputations, and seed convincing phishing lures. It highlights how trusted disclosure channels can be weaponized.

Check
Monitor state breach-notification portals for filings naming your organization, and verify any breach claim about a vendor or partner through that company's official channels before acting on it.
Affected
Any organization that can be named in a fraudulent filing, and the public and journalists who treat a portal listing as confirmation; the underlying portal trust model is the weakness.
Fix
Establish monitoring and a rapid-denial process for fake filings, brief staff and customers to confirm breach notices via official sources, and press regulators to add basic submitter verification.