Path of Exile 2 Apologizes for Major Data Breach

Path of Exile developer, Grinding Gear Games, has issued a sincere apology for a significant data breach stemming from a compromised test Steam account with administrator privileges. This article details the events and the steps taken to prevent future incidents.

Over 66 Accounts Compromised

Enhanced Security Measures Promised

Grinding Gear Games' official PoE forum post, "Data Breach Notification," reveals a compromised Steam account with administrative access. The attacker exploited this access to reset passwords on 66 Path of Exile (PoE) 1 and PoE 2 accounts, leveraging tools normally used by customer support. The compromised admin account, created for testing purposes, lacked linked purchases, phone numbers, or addresses, allowing the attacker to deceive Steam support using minimal information (email address, account name, and a VPN to mask location).

The attacker further concealed their actions by deleting password change notifications, preventing affected users from being alerted. Access to sensitive data, including email addresses, Steam IDs, IP addresses, shipping addresses, unlock codes, transaction histories, and private messages, was gained. This compromised information poses a significant risk to affected users' other accounts.

The developer's statement concludes with a commitment to enhanced security measures: "We have taken steps to ensure that there are more security measures around admin accounts so that this cannot happen again. No 3rd party accounts are allowed to be linked to any staff accounts and we have added significantly more stringent IP restrictions. We are incredibly sorry for this lapse in security. The measures taken to secure the admin website really should have already been in place and in the future we will be taking even more steps to make sure that this kind of issue never occurs again."

Forum responses express a mix of appreciation for the developer's transparency and calls for the implementation of two-factor authentication (2FA) to bolster account security. While the future implementation of 2FA remains to be seen, players are urged to change their passwords and remain vigilant about their account information.