Path of Exile 2 Confirms Data Breach

Path of Exile 2 Developer, Grinding Gear Games, Addresses Data Breach

Grinding Gear Games recently disclosed a data breach affecting Path of Exile 2 players. The breach, discovered the week of January 6th, 2025, stemmed from a compromised developer account linked to Steam. This unauthorized access granted the perpetrator access to sensitive player data.

The compromised information included email addresses, Steam IDs, IP addresses, and for a significant number of accounts, shipping addresses and unlock codes. While passwords and password hashes were not directly accessible via the compromised portal, the possibility of the attacker using compromised email addresses to access other information remains. In some cases, transaction and private message histories were viewed.

Grinding Gear Games acted swiftly, disabling the compromised account and implementing mandatory password resets for all admin accounts. A subsequent investigation revealed the breach originated from an old, test-only Steam account linked to the developer's Path of Exile account. The developer's Steam account contained no personal or financial information.

To prevent future breaches, Grinding Gear Games has implemented several security enhancements. These include eliminating the ability to link third-party accounts to staff accounts and significantly tightening IP restrictions. A bug that allowed the attacker to delete logs has also been patched.

Player reaction to the breach has been varied, with some commending the developer's transparency while others advocate for the addition of two-factor authentication. Many players also expressed desires for improved security measures, enhanced in-game content, and endgame difficulty adjustments.

The breach highlights the ongoing challenge of maintaining robust online security, even for established game developers. Grinding Gear Games' response emphasizes the importance of prompt action and transparency in addressing such incidents.