Path of Exile 2 Developer Addresses Major Data Breach

Grinding Gear Games, the developer behind Path of Exile, has issued a public apology following a significant data breach earlier this month. The breach stemmed from a compromised Steam test account possessing administrator privileges. This allowed the attacker to reset passwords on over 66 Path of Exile accounts (both PoE 1 and PoE 2).

The Breach: How it Happened

The compromised account, created years ago for testing purposes, lacked crucial security measures like linked phone numbers or addresses. This vulnerability allowed the attacker to convincingly impersonate the account holder to Steam support, providing minimal information (email, account name, and a VPN masking their location). The attacker then leveraged internal support tools to reset passwords, further concealing their actions by deleting password change notifications.

The breach resulted in access to sensitive user data, including email addresses, Steam IDs, IP addresses, shipping addresses, unlock codes, transaction histories, and private messages. This raises significant concerns about potential misuse of this information.

Grinding Gear Games' Response and Future Security Measures

Grinding Gear Games acknowledged the security lapse and outlined steps to prevent future incidents. These include enhanced security protocols for administrator accounts, prohibiting third-party account linking to staff accounts, and implementing stricter IP restrictions.

The community response has been mixed, with some praising the developer's transparency while others advocate for the immediate implementation of two-factor authentication (2FA) for enhanced security. While 2FA is not yet confirmed, players are urged to change their passwords and remain vigilant regarding their account information.