Path of Exile 2 Developer Addresses Major Data Breach

Grinding Gear Games, the developer behind Path of Exile, has issued a public apology following a significant data breach earlier this month. The breach resulted from a compromised Steam test account with administrative privileges. Over 66 accounts were affected.

The Breach: How it Happened

A hacker gained unauthorized access to a long-standing Steam account used for internal testing. This account lacked typical security measures like linked phone numbers or addresses. Exploiting this vulnerability, the hacker successfully deceived Steam support, gaining control by providing minimal account information (email, username) and using a VPN to mask their location.

The hacker then used internal support tools to reset passwords on 66 Path of Exile accounts (both PoE 1 and PoE 2). They further concealed their actions by deleting password change notifications. The compromised data included email addresses, Steam IDs, IP addresses, shipping addresses, unlock codes, transaction histories, and private messages. This sensitive information poses a significant risk to affected users.

Response and Future Security Measures

Grinding Gear Games acknowledged the security lapse and stated they've implemented enhanced security protocols for administrative accounts. These measures include stricter IP restrictions and a prohibition on linking third-party accounts to staff accounts. The company expressed deep regret for the incident and pledged to take further steps to prevent future breaches.

The community response has been mixed, with some praising the developer's transparency while others advocate for the immediate implementation of two-factor authentication (2FA). While the addition of 2FA remains pending, players are urged to change their passwords and remain vigilant about their account security.