Path of Exile 2 Apologizes for Major Data Breach

Path of Exile 2 Developer Addresses Major Data Breach

Grinding Gear Games, the developer behind Path of Exile, has issued a public apology following a significant data breach earlier this month. The breach stemmed from a compromised Steam test account with administrator privileges. This compromised account allowed unauthorized access to over 66 player accounts.

Enhanced Security Measures Promised

The breach involved a long-standing test account lacking crucial security features like linked phone numbers or addresses. This vulnerability allowed the attacker to successfully impersonate the account holder to Steam support, gaining access using minimal information (email address, account name, and a VPN masking their location).

The attacker exploited the compromised account to reset passwords on 66 Path of Exile 1 and 2 accounts, cleverly deleting password change notifications to avoid detection. Sensitive data accessed included email addresses, Steam IDs, IP addresses, shipping addresses, unlock codes, transaction histories, and private messages. Grinding Gear Games acknowledges the potential for malicious use of this stolen information.

The developer's official forum post outlines steps taken to prevent future incidents, including enhanced security protocols for administrator accounts, prohibiting third-party account linking to staff accounts, and implementing stricter IP restrictions. They expressed deep regret for the security lapse.

The community response has been mixed, with some praising the developer's transparency while others advocate for the immediate implementation of two-factor authentication (2FA). While the specifics of future security enhancements remain unclear, players are urged to change their passwords and remain vigilant about their account security. The addition of 2FA is highly anticipated by the player base.