Path of Exile 2: Data Breach Apology

Path of Exile developer, Grinding Gear Games, has issued a sincere apology for a significant data breach stemming from a compromised test Steam account with administrator privileges. This article details the incident and the steps taken to prevent future occurrences.

Over 66 Accounts Compromised

Enhanced Security Measures Promised

Grinding Gear Games’ official PoE forum post, “Data Breach Notification,” reveals that a hacker exploited a long-standing, test-only Steam account with admin access. This account, lacking linked purchases, phone numbers, or addresses, was vulnerable. The attacker successfully impersonated the account holder to Steam support, providing minimal information (email address, account name) and using a VPN to mask their location. The hacker then used internal support tools to reset passwords on 66 Path of Exile 1 and 2 accounts.

Further, the attacker cleverly deleted password change notifications, concealing their actions from affected users. Access to sensitive data, including email addresses, Steam IDs, IP addresses, shipping addresses, unlock codes, transaction histories, and private messages, was gained. This compromised information poses a significant risk to affected users' other online accounts.

Grinding Gear Games stated, "We have implemented enhanced security measures for admin accounts to prevent recurrence. Third-party account linking to staff accounts is prohibited, and significantly stricter IP restrictions are now in place. We deeply regret this security lapse. The necessary admin website security measures should have been implemented earlier, and we are committed to preventing future incidents."

Community responses to the announcement range from appreciation for the developer’s transparency to calls for implementing two-factor authentication (2FA). While the addition of 2FA remains a future goal, players are urged to change their passwords and remain vigilant about their account security.