A public filing shows VRChat reporting a data breach affecting over 2 million users to Maine’s Attorney General. But the filing is fake, and the apparent employee who made it does not exist.
The filing with the Maine Attorney General’s office alleged that account usernames, associated emails, VRChat+ subscription status, and login history including device information, hardware identifiers, and IP addresses were exposed, while passwords, payment information, and government ID documents for age verification were not compromised.
It was submitted by a “Scott Caruso”, listed as a ‘Director” with an official VRChat email address of scaruso@vrchat.com. And multiple news outlets reported it as a VRChat data breach, without verifying that it was real.
Shortly after the reports surfaced, a VRChat community manager dropped a rebuttal on VRChat’s Discord service:
This same messaging was posted in response to messages inquiring about the breach on Reddit:
We emailed scaruso@vrchat.com to check whether the address even existed, and it bounced back immediately as nonexistent. We also cannot find a single mention online of a Scott Caruso working for VRChat, or any social VR company at all.
We reached out to VRChat directly for an official statement and it replied with the same statement regarding the alleged breach and the employee who reported it:
“VRChat did not submit this Notice of Data Incident, and the employee/email cited does not exist.
We have no reason to believe that our data or systems have been compromised.
We are in the process of contacting the Maine Attorney General’s office to have this removed.”
We will continue monitoring this situation and update this article if any new information emerges.
