Path of Exile 2: Data Breach Acknowledged

Path of Exile 2 Developer Confirms Data Breach: Player Information Compromised

Grinding Gear Games, the developer behind Path of Exile 2, has confirmed a data breach that occurred the week of January 6, 2025. The breach stemmed from a compromised developer account linked to Steam. A significant number of player accounts were affected, resulting in the exposure of sensitive information.

Compromised Data: The breach exposed email addresses, Steam IDs, IP addresses, shipping addresses, and unlock codes. While passwords and password hashes were not directly accessible, the potential for the attacker to use compromised email addresses to bypass regional account restrictions remains a concern. For some accounts, transaction and private message histories were also viewed.

Breach Details: The attacker gained access via a developer's administrative account, exploiting a now-patched vulnerability that allowed log deletion. This access granted the attacker the ability to view account details through the developer portal. The compromised Steam account, used for testing purposes, lacked personal information but provided access to the developer's Path of Exile account, creating a pathway to other accounts. Sixty-six accounts had their passwords randomly changed by the attacker.

Security Enhancements: In response, Grinding Gear Games has implemented several security measures. Third-party account linking to staff accounts has been disabled, and IP restrictions have been significantly tightened.

Community Reaction: Player response has been varied, with some appreciating the developer's transparency while others advocate for the addition of two-factor authentication to enhance account security. Concerns regarding overall security, endgame difficulty adjustments, and in-game content updates have also been voiced.

The incident highlights the ongoing challenges in maintaining online security, even for established game developers. The swift response and security improvements by Grinding Gear Games are a positive step, but the incident underscores the need for robust security protocols and ongoing vigilance.