Path of Exile 2 Developer Addresses Major Data Breach

Grinding Gear Games, the developer behind Path of Exile, has issued a public apology following a significant data breach earlier this month. The breach stemmed from a compromised test Steam account possessing administrator-level access. This compromised account allowed the attacker to reset passwords on over 66 Path of Exile accounts (both PoE 1 and PoE 2).

The Breach: How It Happened

The attacker exploited a long-standing, infrequently used test Steam account. Lacking linked phone numbers, addresses, or purchase history, the attacker successfully deceived Steam support by impersonating the account holder using minimal information (email address, account name, and a VPN to mask location). The attacker then leveraged internal customer support tools to reset passwords on numerous accounts, further concealing their actions by deleting password change notifications.

The breach resulted in the unauthorized access to sensitive user data, including email addresses, Steam IDs, IP addresses, shipping addresses, unlock codes, transaction histories, and private messages. Grinding Gear Games acknowledges the potential for misuse of this information.

Response and Future Security Measures

In response, Grinding Gear Games has implemented enhanced security protocols for administrator accounts, including stricter IP restrictions and a prohibition on linking third-party accounts to staff accounts. The developers expressed regret over the security lapse and pledged to take further steps to prevent future incidents.

The community response has been mixed, with some praising the developer's transparency while others advocate for the immediate implementation of two-factor authentication (2FA) for enhanced security. Players are advised to change their passwords and remain vigilant regarding their account information.