Path of Exile 2 Apologizes for Major Data Breach

Path of Exile Developer Addresses Major Data Breach

Grinding Gear Games, the developer behind Path of Exile, has issued a public apology following a significant data breach. The breach stemmed from a compromised Steam test account with administrative privileges. This allowed unauthorized access to over 66 player accounts.

Security Lapse Detailed

The breach involved a long-standing test account lacking typical security measures like linked phone numbers or addresses. This vulnerability allowed a hacker to deceive Steam support, gaining access using minimal information (email, username, and VPN-masked location). The hacker subsequently reset passwords on numerous PoE 1 and PoE 2 accounts, exploiting internal support tools.

Further, the attacker cleverly deleted password change notifications, concealing their actions from affected players. Compromised data included email addresses, Steam IDs, IP addresses, shipping addresses, unlock codes, transaction histories, and private messages. This sensitive information poses a significant risk of further account compromises and potential misuse.

Enhanced Security Measures Implemented

Grinding Gear Games has responded by implementing stricter security protocols for administrative accounts. Third-party account linking is now prohibited for staff accounts, and significantly more robust IP restrictions are in place. The company acknowledged the security lapse and pledged to take further preventative measures to avoid future incidents.

The community response has been mixed, with some praising the developer's transparency while others advocate for the immediate implementation of two-factor authentication (2FA). While the specifics of future security enhancements remain unclear, players are urged to change their passwords and remain vigilant about their account security. The addition of 2FA is highly anticipated as a crucial step towards preventing future breaches.