Path of Exile 2 Developer Addresses Major Data Breach

Grinding Gear Games, the developer behind Path of Exile, has issued a public apology following a significant data breach earlier this month. The breach stemmed from a compromised test Steam account with administrator-level access. This compromised account allowed unauthorized access to over 66 player accounts.

The Breach: How it Happened

The attacker exploited a long-standing test account, lacking typical security measures like linked phone numbers or addresses. By using readily available information (email address, account name), and masking their location with a VPN, they successfully deceived Steam support into granting access. The attacker then utilized internal support tools to reset passwords on numerous PoE 1 and PoE 2 accounts. Further, they deleted password change notifications, concealing their actions from affected players.

The breach resulted in the exposure of sensitive data, including email addresses, Steam IDs, IP addresses, shipping addresses, unlock codes, transaction histories, and private messages. This information poses a significant risk to affected players.

Grinding Gear Games' Response and Future Security Measures

Grinding Gear Games acknowledges the security lapse and has committed to implementing enhanced security protocols. These include stricter measures for admin accounts, prohibiting third-party account linking, and significantly tightening IP restrictions. The company expresses deep regret for the incident and assures players of their commitment to preventing future breaches.

The community response has been mixed, with some praising the developer's transparency while others advocate for the immediate implementation of two-factor authentication (2FA). While the timeline for 2FA remains unclear, players are urged to change their passwords and remain vigilant about their account security.