Path of Exile 2 Developer Addresses Major Data Breach

Grinding Gear Games, the developer behind Path of Exile, has issued a public apology following a significant data breach. The breach stemmed from a compromised test Steam account possessing administrator-level access. This allowed the attacker to reset passwords on over 66 PoE accounts.

The Breach: How it Happened

The compromised account, an older test account lacking associated purchase history, phone number, or address, was successfully targeted through social engineering. The attacker successfully convinced Steam support to grant access using minimal information, including email address, account name, and a VPN to mask their location.

Further exploiting the vulnerability, the attacker deleted password change notifications, preventing affected users from being alerted. The breach resulted in the exposure of sensitive data, including email addresses, Steam IDs, IP addresses, shipping addresses, unlock codes, transaction histories, and private messages. This compromised information poses a substantial risk to affected users' other online accounts.

Enhanced Security Measures

Grinding Gear Games has pledged to implement enhanced security measures to prevent future incidents. These include stricter restrictions on administrator accounts, prohibiting the linking of third-party accounts to staff accounts, and significantly tightening IP restrictions. The developer acknowledges the lapse in security and expresses deep regret.

The community response has been mixed, with some praising the developer's transparency while others advocate for the immediate implementation of two-factor authentication (2FA) to bolster account security. While the addition of 2FA remains pending, players are urged to change their passwords and remain vigilant about their account information.