Summary
- Path of Exile 2 developer Grinding Gear Games has confirmed a data breach occurred during the week of January 6, 2025, caused by unauthorized access to a developer's account linked to Steam.
- The breach compromised player data, including email addresses, Steam IDs, IP addresses, shipping addresses, and unlock codes.
Grinding Gear Games recently announced that Path of Exile 2 suffered a data breach due to a compromised developer's admin account. This incident prompted the developers to take immediate steps to enhance the security of their admin accounts, aiming to prevent future breaches in both Path of Exile 2 and its predecessor, which share a common account system.
Since its early access launch in December 2024, Path of Exile 2 has enjoyed a robust player base, supported by continuous updates and clear communication from Grinding Gear Games. Recent updates have focused on improving performance on the PlayStation 5 and addressing issues related to monsters, skills, and damage. As the community anticipates the next major patch, Grinding Gear Games has taken the opportunity to address the data breach before players return to explore the new content.
The official Path of Exile 2 forum was updated with a notice detailing the breach, which was discovered during the week of January 6, 2025. The compromised account had admin access to the website, typically used by the customer support team. Upon discovery, the developers quickly locked the account and enforced password resets across all admin accounts. Further investigation revealed that the breach occurred through an old Steam account used for testing, which was linked to the developer's Path of Exile account, allowing the unauthorized user to access sensitive tools.
Path of Exile 2 Developer Grinding Gear Games Confirms Data Breach Involving Compromised Staff Account
- The data breach affected a "significant number" of accounts, compromising email addresses, Steam IDs, IP addresses, shipping addresses, and unlock codes.
The attacker managed to set random passwords on 66 accounts and exploited a bug to delete logs tracking these changes. Although this bug has since been fixed, it allowed the attacker to access account information on the developer portal. While passwords and password hashes were not accessible through the portal, there was a risk that the attacker could use the compromised email addresses to bypass region locking on Steam-linked accounts by matching them against lists of compromised passwords from other sites. Additionally, the attacker could view transaction and private message histories for some accounts.
In response to the breach, Grinding Gear Games has implemented stricter security measures, including prohibiting the linking of third-party accounts to staff accounts and enforcing "significantly more stringent" IP restrictions.
The community's reaction to the data breach has been varied. Some players appreciate the transparency from Grinding Gear Games, while others are advocating for the implementation of two-factor authentication for Path of Exile 2 accounts. There is a general call for improved security measures, alongside enhancements to in-game content and adjustments to the game's endgame difficulty.
