Path of Exile 2 Developer Addresses Significant Data Breach

Grinding Gear Games, the developer behind Path of Exile, has issued a public apology following a data breach impacting over 66 accounts. The breach stemmed from a compromised Steam test account with administrative privileges. This article details the incident and the steps taken to prevent future occurrences.

The Breach: A Compromised Admin Account

A hacker gained unauthorized access to a long-standing Steam account used for internal testing purposes. This account lacked typical security measures like linked phone numbers or addresses, making it vulnerable. The attacker exploited this weakness, successfully deceiving Steam support to gain control. Using internal support tools, the hacker then reset passwords on 66 Path of Exile accounts (both PoE 1 and PoE 2).

Further complicating matters, the hacker cleverly deleted password change notifications, avoiding detection by affected users. The breach exposed sensitive information, including email addresses, Steam IDs, IP addresses, shipping addresses, unlock codes, transaction histories, and private messages. This compromised data poses a significant risk to affected players.

Grinding Gear Games' Response and Future Security Measures

Grinding Gear Games acknowledged the security lapse and outlined measures to prevent recurrence. These include enhanced security protocols around administrative accounts, prohibiting third-party account linking to staff accounts, and implementing stricter IP restrictions. The company expressed deep regret for this incident.

Player Response and Recommendations

Community reaction has been mixed, with some praising the developer's transparency while others advocate for the immediate implementation of two-factor authentication (2FA). While the developer's statement doesn't explicitly mention 2FA, the need for enhanced security is clear. Players are advised to change their passwords and remain vigilant about their account information.