Path of Exile 2 Confirms Data Breach

Path of Exile 2 Suffers Data Breach Due to Compromised Developer Account

Grinding Gear Games, the developer behind Path of Exile 2, recently disclosed a data breach that occurred during the week of January 6, 2025. The breach stemmed from a compromised developer account linked to Steam. A significant number of player accounts were affected, resulting in the exposure of sensitive information.

The Breach:

The breach allowed unauthorized access to a developer's admin account, granting the attacker access to tools used by Path of Exile 2's customer support team. This compromised access led to the exposure of various data points, including email addresses, Steam IDs, IP addresses, shipping addresses, and unlock codes for a substantial number of accounts. While passwords and password hashes were not directly accessible, the attacker potentially used compromised email addresses to bypass regional restrictions on Steam-linked accounts. In some cases, transaction and private message histories were also viewed.

Grinding Gear Games' Response:

Following the discovery, Grinding Gear Games immediately took action. They locked the compromised account, implemented mandatory password resets for all admin accounts, and launched a thorough investigation. The investigation revealed the compromised developer account was linked to an old, inactive Steam account used for testing purposes. The developer's account, though lacking personal financial information, provided access to the developer portal and thus, player data.

To prevent future incidents, Grinding Gear Games has implemented several security enhancements, including the removal of third-party account linking for staff accounts and significantly stricter IP restrictions. A bug that allowed the attacker to delete logs has also been rectified.

Community Reaction and Future Steps:

The community's response has been varied, with some players commending the developer's transparency while others advocate for the implementation of two-factor authentication. Many players are also expressing a desire for improved security measures and further content updates, including adjustments to endgame difficulty.

The breach highlights the ongoing challenge of maintaining robust security in online gaming environments. Grinding Gear Games' prompt response and subsequent security improvements demonstrate a commitment to addressing the issue and protecting player data. However, the incident underscores the need for continuous vigilance and the importance of implementing comprehensive security protocols.