Path of Exile 2: Data Breach Apology

Path of Exile developer, Grinding Gear Games, has issued a sincere apology for a significant data breach stemming from a compromised test Steam account with administrator privileges. This article details the events and the steps taken to prevent future occurrences.

Over 66 Accounts Compromised

Enhanced Security Measures Promised

Grinding Gear Games recently addressed a data breach on the official Path of Exile (PoE) forums. Their statement, titled "Data Breach Notification," explained that a hacker compromised a Steam account with admin access to the game. This account, used for internal testing and lacking linked purchases, phone numbers, or addresses, was exploited. The attacker successfully impersonated the account holder to Steam support, providing minimal information like the email address and account name, aided by a VPN to mask their location. This allowed them to reset passwords on 66 PoE 1 and PoE 2 accounts, using tools typically employed by customer support agents.

The hacker cleverly deleted password change notifications, concealing their actions from account owners. Access to sensitive data, including email addresses, Steam IDs, IP addresses, shipping addresses, unlock codes, transaction histories, and private messages, was gained. This information poses a significant risk to affected users' other online accounts.

Grinding Gear Games stated that they've implemented enhanced security measures for admin accounts, prohibiting third-party account links and significantly tightening IP restrictions. They acknowledged the lapse in security and pledged further improvements to prevent similar incidents.

Community responses to the announcement expressed appreciation for the developer's transparency while urging the implementation of two-factor authentication (2FA) for enhanced account security. While the addition of 2FA remains pending, players are advised to change their passwords and remain vigilant about their account information.