Path of Exile 2 Apologizes for Major Data Breach

Path of Exile developer, Grinding Gear Games, has issued a sincere apology for a significant data breach stemming from a compromised test Steam account with administrator privileges. This article details the events and the steps taken to address the issue.

Over 66 Accounts Compromised

Enhanced Security Measures Promised

Grinding Gear Games' official forum post, "Data Breach Notification," revealed that a hacker compromised a Steam account with administrative access to Path of Exile (PoE). This allowed the attacker to reset passwords on 66 PoE 1 and PoE 2 accounts using internal customer support tools. The compromised admin account, created long ago for testing, lacked linked purchases, phone numbers, or addresses, making it vulnerable. The attacker successfully impersonated the account owner to Steam support, providing minimal information like the email address and account name, aided by a VPN to mask their location.

The hacker cleverly deleted password change notifications, concealing their actions from account owners. Access to sensitive data, including email addresses, Steam IDs, IP addresses, shipping addresses, unlock codes, transaction histories, and private messages, was gained. This compromised information poses a significant risk to affected users' other online accounts.

Grinding Gear Games stated, "We have implemented enhanced security measures for admin accounts to prevent future occurrences. Third-party account linking to staff accounts is prohibited, and significantly stricter IP restrictions are now in place. We deeply regret this security lapse. The necessary admin website security measures should have been in place already, and we are committed to taking further steps to prevent similar incidents."

Community response to the announcement has been mixed, with some praising the developer's transparency, while others advocate for the immediate implementation of two-factor authentication (2FA). While the timeline for 2FA implementation remains unclear, players are urged to change their passwords and remain vigilant regarding their account security.