Path of Exile 2 Developer Addresses Major Data Breach

Grinding Gear Games, the developer behind Path of Exile, has issued a public apology following a significant data breach. The breach stemmed from a compromised test Steam account with administrator privileges. This allowed unauthorized access to over 66 player accounts.

The Breach: How it Happened

The attacker exploited a long-standing, unsecured test account. Lacking linked phone numbers, addresses, or purchase history, the attacker successfully impersonated the account holder to Steam support, gaining access using minimal information (email, username, and VPN to mask location). The attacker then used internal support tools to reset passwords on numerous PoE 1 and PoE 2 accounts. Further, they deleted password change notifications, concealing their actions.

The compromised data included sensitive personal information: email addresses, Steam IDs, IP addresses, shipping addresses, unlock codes, transaction histories, and private messages. This poses a considerable risk to affected players.

Grinding Gear Games' Response and Future Security Measures

Grinding Gear Games acknowledges the security lapse and has pledged to implement enhanced security measures for administrator accounts. These include prohibiting third-party account links to staff accounts and significantly tightening IP restrictions. The company expressed deep regret for the incident.

Player Response and Recommendations

The community response has been mixed, with some praising the developer's transparency while others advocate for the immediate implementation of two-factor authentication (2FA). While the developer's plans for future security improvements are underway, players are urged to change their passwords and remain vigilant about their account security. The addition of 2FA is highly recommended for enhanced protection.