Path of Exile 2 Data Breach Confirmed

Path of Exile 2 Developer Confirms Data Breach: Player Information Compromised

Grinding Gear Games, the developer behind Path of Exile 2, has confirmed a data breach that occurred the week of January 6, 2025. The breach stemmed from a compromised developer account linked to Steam. A significant number of player accounts were affected, resulting in the exposure of sensitive information.

Compromised Data:

The breach exposed a range of data, including email addresses, Steam IDs, IP addresses, shipping addresses, and unlock codes. While passwords and password hashes were not directly accessible, the risk of password reuse from other compromised accounts remains a concern. In some cases, transaction histories and private messages between players and Grinding Gear Games staff were also viewed.

The Breach:

The attacker gained access via a developer's admin account, exploiting a vulnerability in the account's link to an old, unused Steam account. This allowed access to the developer portal, where the attacker could view and manipulate account information. The attacker also changed passwords on 66 accounts and exploited a bug to delete logs, hindering the investigation. This bug, specific to log deletion, has since been patched.

Grinding Gear Games' Response:

Following the discovery, Grinding Gear Games immediately took action:

• The compromised account was locked.
• All admin accounts were forced to reset their passwords.
• A thorough investigation was launched.
• Third-party account linking to staff accounts has been disabled.
• IP restrictions have been significantly strengthened.

Community Reaction:

Player reaction has been varied. While some appreciate the developer's transparency, others are demanding enhanced security measures, specifically the implementation of two-factor authentication. Concerns regarding endgame difficulty and overall game content are also being voiced.

Moving Forward:

The incident highlights the importance of robust security practices in online gaming. Grinding Gear Games' swift response is commendable, but the breach underscores the need for continuous improvement in account security and the ongoing challenge of protecting user data in the face of sophisticated attacks. The company's commitment to addressing these issues will be crucial in maintaining player trust and confidence.