Path of Exile 2 Developer Addresses Major Data Breach

Grinding Gear Games, the developer behind Path of Exile, has issued a public apology following a significant data breach earlier this month. The breach stemmed from a compromised Steam test account possessing administrator privileges. This allowed unauthorized access to over 66 player accounts.

The Breach: How it Happened

The attacker exploited a long-standing, sparsely secured test account. Lacking linked phone numbers, addresses, or purchase history, the attacker successfully impersonated the account holder to Steam support, gaining access using minimal information (email, account name, and VPN-masked location).

The attacker then used internal customer support tools to reset passwords on 66 Path of Exile 1 and 2 accounts. Further, they deleted password change notifications, concealing their actions from affected players. Compromised data included email addresses, Steam IDs, IP addresses, shipping addresses, unlock codes, transaction histories, and private messages. This raises serious concerns about potential misuse of the stolen information.

Grinding Gear Games' Response and Future Security Measures

Grinding Gear Games acknowledged the security lapse and outlined implemented changes: enhanced security protocols for administrator accounts, prohibiting third-party account linking to staff accounts, and significantly stricter IP restrictions. The company expressed deep regret for the incident and committed to preventing future occurrences.

Community Reaction and Recommendations

The community response has been mixed, with some praising the developer's transparency while others advocate for the immediate implementation of two-factor authentication (2FA). Players are urged to change their passwords and remain vigilant regarding account security. While the addition of 2FA remains pending, proactive security measures on the part of players are highly recommended.