Path of Exile 2 Apologizes for Data Breach

Path of Exile 2 Developer Addresses Major Data Breach

Grinding Gear Games, the developer behind Path of Exile, has issued a public apology following a significant data breach earlier this month. The breach stemmed from a compromised Steam test account possessing administrator privileges. This compromised account allowed unauthorized access to over 66 player accounts.

Security Lapse and Aftermath

The breach involved a long-standing test account lacking crucial security measures like linked phone numbers or addresses. This vulnerability allowed an attacker to deceive Steam support, gaining access using minimal information. The attacker subsequently reset passwords on numerous PoE 1 and PoE 2 accounts, leveraging internal customer support tools. Further, the attacker deleted password change notifications, concealing their actions from affected users.

Sensitive data accessed included email addresses, Steam IDs, IP addresses, shipping addresses, unlock codes, transaction histories, and private messages. Grinding Gear Games acknowledges the potential for malicious use of this compromised information.

The developer has since implemented enhanced security protocols for administrator accounts, including stricter IP restrictions and a ban on linking third-party accounts to staff accounts. They expressed deep regret for the security lapse and pledged to prevent future occurrences.

Community Response and Future Security

The community response has been mixed, with some praising the developer's transparency while others advocate for the immediate implementation of two-factor authentication (2FA). While the specifics of future security enhancements remain unannounced, players are urged to change their passwords and remain vigilant regarding their account security. The addition of 2FA is highly anticipated as a crucial step in preventing future breaches.