Path of Exile 2: Data Breach Apology

Path of Exile developer Grinding Gear Games has issued a sincere apology for a recent security breach stemming from a compromised test Steam account with administrative privileges. This article details the incident and the steps taken to prevent future occurrences.

Over 66 Accounts Compromised

Enhanced Security Measures Promised

Grinding Gear Games' official PoE forum post, "Data Breach Notification," reveals that a hacker exploited a long-standing, test-only Steam account with administrative access to Path of Exile. This account, lacking linked purchases, phone numbers, or addresses, was vulnerable. The attacker successfully impersonated the account owner to Steam support, providing minimal information (email address, account name) and using a VPN to mask their location. They then proceeded to reset passwords on 66 Path of Exile 1 and 2 accounts using internal customer support tools.

Further, the hacker cleverly deleted password change notifications, concealing their actions from affected players. Access to sensitive data, including email addresses, Steam IDs, IP addresses, shipping addresses, unlock codes, transaction histories, and private messages, was gained. This compromised information poses a significant risk to affected users' other online accounts.

The developer's statement concludes with a commitment to improved security: "We have taken steps to ensure that there are more security measures around admin accounts so that this cannot happen again. No 3rd party accounts are allowed to be linked to any staff accounts and we have added significantly more stringent IP restrictions. We are incredibly sorry for this lapse in security. The measures taken to secure the admin website really should have already been in place and in the future we will be taking even more steps to make sure that this kind of issue never occurs again."

Forum responses highlight player appreciation for the developer's transparency while also urging the implementation of two-factor authentication (2FA) for enhanced account security. While the timeline for 2FA implementation remains unclear, players are advised to change their passwords and remain vigilant about their account information.