Path of Exile 2 Developer Addresses Major Data Breach

Grinding Gear Games, the developer behind Path of Exile, has issued a public apology following a significant data breach earlier this month. The breach resulted from a compromised Steam test account with administrative privileges. Over 66 accounts were affected.

The Breach: How it Happened

The breach stemmed from a long-standing test account on Steam. Lacking security measures like linked phone numbers or addresses, this account was vulnerable. A hacker successfully impersonated the account owner to Steam support, providing minimal information (email, account name, and a VPN masking their location) to gain access. The hacker then used internal support tools to reset passwords on 66 Path of Exile accounts (both PoE 1 and PoE 2). Further, the hacker cleverly deleted password change notifications, concealing their actions from affected users.

The compromised accounts' sensitive data, including email addresses, Steam IDs, IP addresses, shipping addresses, unlock codes, transaction histories, and private messages, were accessed. This poses a significant risk to affected players, potentially impacting other online accounts.

Grinding Gear Games' Response and Future Security Measures

Grinding Gear Games acknowledged the security lapse and outlined steps taken to prevent future incidents. These include enhanced security protocols for admin accounts, prohibiting third-party account linking to staff accounts, and implementing stricter IP restrictions.

The community response has been mixed, with praise for the developer's transparency alongside calls for the implementation of two-factor authentication (2FA). While 2FA is not yet confirmed, players are urged to change their passwords and remain vigilant regarding their account security.