Maine was forced to take down a data breach site after fake notifications were filed with authorities
The US state of Maine has taken its data breach notification portal offline after someone posted an exposé of fraud committed by two well-known technology companies.
As The Sleep Computer reported last week, fraudulent data breach disclosures were posted on Maine’s official data breach portal and posted publicly before their validity was verified, prompting the fictitious companies to deny the claims.
The first fake alert targeted the popular messaging platform Discord, which is used by hundreds of millions of people around the world. The notice, which said 10 million people were affected by the data breach, was full of clues that should have made anyone question its legitimacy: it included a Gmail contact address, a representative’s phone number, and a consumer notification date of January 1, 2000.
In addition, it did not have a model notice letter to affected customers – something that is standard practice in legal infringement filings.
However, the most convincing was a fake infringement notice directed at the multiplayer virtual reality platform VRChat. The filing revealed that hackers gained access to the company’s cloud infrastructure in May, and the information of more than 2.4 million users was exposed.
The original VRChat breach notice listed compromised data including usernames, email addresses, VRChat+ subscription status, login history, device identifiers, IP addresses, and Steam or Meta account IDs, according to The Sleep Computer.
However, that notice was sent under the pseudonym “Scott Caruso” using the email address scaruso(at)vrchat.com.
Charles Tupper, Head of Community at VRChat, confirmed to BleepingComputer that the notification was a hoax:
“VRChat did not send this Data Incident Notification, and the employee/email cited does not exist. We have no reason to believe that our data or systems have been compromised.”
In a statement, the Maine Attorney General’s office confirmed that it “has no recent knowledge of reports of official data breaches from VRChat or Discord.”
So, what went wrong?
It appears that abuse of the system was possible because Maine’s data breach reporting system did not have a proper verification mechanism.
Anyone can submit a breach notification form and post it on the portal website without verification.
Which means that anyone who wanted to damage the company’s reputation could submit a convincing looking infringement notice and get it published.
The portal has temporarily disabled public access to the breach notification database while it reviews its procedures to reduce the likelihood of similar abuses in the future. And, of course, false reports of VRChat and Discord breaches have now been removed.
It is not yet known who created the fake posting, and whether or not the target was chosen on purpose. Perhaps worryingly, it’s also unclear how many (if any) more fake infringement notices might have been sent through the portal before public access to them was temporarily suspended.
I hope that when the site is brought back online its security will be strengthened, as many journalists rely on services like this to inform the general public about data breaches that occur as well as companies and organizations.
