Path of Exile 2 Developer Addresses Significant Data Breach

Grinding Gear Games, the developer behind Path of Exile, has issued a public apology following a data breach impacting over 66 accounts. The breach stemmed from a compromised Steam test account with administrative privileges. This article details the events and the steps taken to mitigate future risks.

Security Lapse and its Consequences

A hacker exploited a long-standing, unsecured test account lacking crucial security measures like linked phone numbers or addresses. Using only basic account information and a VPN to mask their location, the attacker successfully deceived Steam support, gaining access to the administrative account. This allowed them to reset passwords on numerous PoE 1 and PoE 2 accounts, leveraging internal customer support tools.

Further complicating matters, the hacker cleverly deleted password change notifications, concealing their actions from affected users. The breach resulted in unauthorized access to sensitive data, including email addresses, Steam IDs, IP addresses, shipping addresses, unlock codes, transaction histories, and private messages. This compromised information poses a significant risk of further exploitation.

Enhanced Security Measures and Player Response

Grinding Gear Games acknowledges the severity of the breach and has committed to implementing enhanced security protocols. These include stricter restrictions on administrative accounts, prohibiting third-party account linking, and significantly tightening IP restrictions. The developer expresses sincere regret for this security lapse and assures players of their commitment to preventing future occurrences.

The community's response has been mixed, with some praising the developer's transparency while others advocate for the immediate implementation of two-factor authentication (2FA) for enhanced account security. While the addition of 2FA remains pending, players are urged to change their passwords and remain vigilant about their account information.