Path of Exile 2 Confirms Data Breach

Path of Exile 2 Developer Confirms Data Breach: Player Information Compromised

Grinding Gear Games, the developer behind Path of Exile 2, recently confirmed a data breach affecting a significant number of player accounts. The breach, discovered the week of January 6th, 2025, stemmed from a compromised developer account linked to Steam.

What Information Was Compromised?

The breach exposed sensitive player data, including email addresses, Steam IDs, IP addresses, shipping addresses, and unlock codes. While passwords and password hashes were not directly accessible via the compromised portal, the potential for attackers to leverage compromised email addresses against known password lists to bypass region locks remains a concern. In some cases, transaction and private message histories were also viewed.

How Did the Breach Occur?

The breach originated from a developer's admin account, granting unauthorized access to tools used by the Path of Exile 2 customer support team. The compromised account was linked to an old Steam account used for testing purposes. While this Steam account contained no personal information, access to the linked Path of Exile account provided the attacker entry into the developer portal.

Grinding Gear Games' Response:

Following the discovery, Grinding Gear Games immediately took action:

• The compromised account was locked.
• Password resets were enforced for all admin accounts.
• A bug allowing the deletion of relevant logs was identified and fixed.
• Third-party account linking to staff accounts has been disabled.
• IP restrictions have been significantly tightened.

Community Reaction and Future Steps:

The community's response has been varied, with some praising the developer's transparency while others advocate for the implementation of two-factor authentication. Many players also express a desire for enhanced security measures and further improvements to in-game content and endgame difficulty.

In summary: While Grinding Gear Games has taken steps to address the immediate threat and prevent future breaches, the incident highlights the ongoing importance of robust security practices in online gaming. The company's proactive response and communication are commendable, but further security enhancements are expected by the player base.