Path of Exile 2 Developer Addresses Major Data Breach

Grinding Gear Games, the developer behind Path of Exile, has issued a public apology following a significant data breach earlier this month. The breach stemmed from a compromised Steam test account possessing administrator privileges. This compromised account allowed unauthorized access to over 66 player accounts.

Security Lapse Detailed

The breach involved a long-standing test account lacking essential security measures like linked phone numbers or addresses. This vulnerability allowed the attacker to successfully impersonate the account holder to Steam support, gaining access using minimal information (email address, account name, and a VPN masking their location).

The attacker exploited this access to reset passwords on numerous PoE 1 and PoE 2 accounts. Furthermore, they cleverly deleted password change notifications, concealing their actions from affected players. The compromised data included sensitive personal information such as email addresses, Steam IDs, IP addresses, shipping addresses, unlock codes, transaction histories, and private messages.

The developer acknowledges the severity of the breach and the potential for misuse of the stolen data. They have committed to implementing enhanced security protocols for administrator accounts, including stricter IP restrictions and prohibiting third-party account linking.

Community Response and Future Security

The community response has been mixed, with some praising the developer's transparency while others advocate for the immediate implementation of two-factor authentication (2FA) to prevent future incidents. While the developer's statement doesn't explicitly confirm the addition of 2FA, they emphasize their commitment to improved security measures. Players are advised to change their passwords and remain vigilant regarding their account information.