Path of Exile 2 Developer Addresses Significant Data Breach
Grinding Gear Games, the studio behind Path of Exile, has issued a public apology following a data breach impacting over 66 player accounts. The breach stemmed from a compromised Steam test account possessing administrative privileges. This article details the incident and the subsequent security measures implemented by the developers.
Security Lapse and Hacker Actions
A compromised Steam account, utilized for internal testing and lacking linked personal information (phone number, address), was exploited. The attacker successfully deceived Steam support, gaining access using minimal account details (email, username) and a VPN to mask their location. Leveraging internal support tools, the hacker reset passwords on numerous PoE 1 and PoE 2 accounts. Furthermore, they deleted password change notifications, concealing their actions from affected players.
The breach resulted in the unauthorized access of sensitive data, including email addresses, Steam IDs, IP addresses, shipping addresses, unlock codes, transaction histories, and private messages. This compromised information poses a significant risk to affected players, potentially enabling further account compromises.
Enhanced Security Measures and Player Response
Grinding Gear Games has responded by implementing stricter security protocols for administrative accounts. Third-party account linking to staff accounts is now prohibited, and IP restrictions have been significantly tightened. The developers expressed regret over the security lapse and pledged to implement further preventative measures.
The community's response has been mixed, with some praising the developer's transparency while others advocate for the immediate implementation of two-factor authentication (2FA) for enhanced account security. While the addition of 2FA remains pending, players are urged to change their passwords and remain vigilant regarding their account information. The initial breach image is shown below:
