Path of Exile 2 Developer Addresses Major Data Breach

Grinding Gear Games, the developer behind Path of Exile, has issued a public apology following a significant data breach earlier this month. The breach stemmed from a compromised Steam test account possessing administrator privileges. This allowed the attacker to reset passwords on over 66 Path of Exile accounts.

The Breach: How it Happened

The compromised account, utilized for internal testing, lacked crucial security measures. It was not linked to a phone number, address, or purchase history, making it vulnerable to social engineering. The attacker successfully impersonated the account owner to Steam support, providing minimal information (email, account name, and a VPN masking their location). This granted them access and the ability to alter passwords on numerous player accounts. Furthermore, the attacker deleted password change notifications, concealing their actions.

The breach resulted in the exposure of sensitive user data, including email addresses, Steam IDs, IP addresses, shipping addresses, unlock codes, transaction histories, and private messages. Grinding Gear Games acknowledges the potential for malicious use of this information.

Enhanced Security Measures

In response, Grinding Gear Games has implemented several security enhancements, including stricter restrictions on administrator accounts and prohibiting the linking of third-party accounts to staff accounts. They have also significantly tightened IP restrictions. The developer expressed regret for the security lapse and pledged to take further preventative steps.

Player Response and Recommendations

The community's response has been mixed, with some praising the developer's transparency, while others advocate for the implementation of two-factor authentication (2FA). While the addition of 2FA remains pending, players are advised to change their passwords immediately and remain vigilant regarding their account security.