Path of Exile 2 Confirms Data Breach

Path of Exile 2 Developer Confirms Data Breach from Compromised Staff Account

Grinding Gear Games, the developer behind Path of Exile 2, has confirmed a data breach affecting a significant number of player accounts. The breach, discovered the week of January 6th, 2025, stemmed from a compromised developer account linked to Steam.

Breach Details:

The unauthorized access granted the attacker the ability to utilize Path of Exile 2's customer support tools. Consequently, sensitive player information was compromised, including email addresses, Steam IDs, IP addresses, shipping addresses, and unlock codes. While passwords and password hashes were not directly accessible, the risk of credential stuffing remains due to the exposure of email addresses. In some cases, transaction and private message histories were also viewed.

Impact and Response:

The attacker managed to alter passwords on 66 accounts and exploited a bug to delete relevant logs. This bug, since patched, affected only log deletion and not other support functions. Grinding Gear Games has implemented immediate security measures, including account lockdowns, forced password resets for admin accounts, and the removal of third-party account linking for staff. Stricter IP restrictions have also been put in place.

Community Reaction and Future Steps:

The community's response is varied, with some commending the developer's transparency while others advocate for the implementation of two-factor authentication. Many players express a desire for enhanced security measures and further improvements to both in-game content and endgame difficulty.

Summary of Compromised Data: A substantial amount of player data was accessed, including email addresses, Steam IDs, IP addresses, shipping addresses, and unlock codes. Access to transaction and private message history occurred in some instances. However, passwords themselves were not directly compromised.

The incident highlights the ongoing challenges in maintaining robust online security and the importance of proactive measures to protect user data.