PoE 2 Apologizes for Major Data Leak

Path of Exile 2 Developer Addresses Significant Data Breach

Grinding Gear Games, the developer behind Path of Exile, has issued a public apology following a data breach impacting over 66 accounts. The breach stemmed from a compromised Steam test account possessing administrator privileges. This article details the incident and the subsequent security measures implemented by the developer.

Compromised Admin Account Facilitated Breach

A long-standing test Steam account, lacking associated purchase history, phone number, or address, was exploited. The attacker successfully impersonated the account owner to Steam support, providing minimal information (email address, account name) and using a VPN to mask their location. This allowed them access to the admin account.

The attacker then leveraged the compromised account to reset passwords on 66 Path of Exile 1 and 2 accounts, utilizing internal customer support tools. Furthermore, they deleted password change notifications, concealing their actions from affected users. Sensitive data accessed included email addresses, Steam IDs, IP addresses, shipping addresses, unlock codes, transaction histories, and private messages. This raises significant concerns about potential misuse of the stolen information.

Grinding Gear Games Responds with Enhanced Security

Grinding Gear Games acknowledges the security lapse and outlines implemented improvements: stricter access controls for admin accounts, prohibiting third-party account linking to staff accounts, and significantly enhanced IP restrictions. The company expresses deep regret for the incident and commits to preventing future occurrences.

The community response has been mixed, with some praising the developer's transparency while others advocate for the immediate implementation of two-factor authentication (2FA). While the addition of 2FA remains pending, players are urged to change their passwords and remain vigilant regarding their account security.