Apology Issued by Path of Exile 2 for Major Data Breach

Path of Exile 2 Developer Addresses Major Data Breach

Grinding Gear Games, the developer behind Path of Exile, has issued a public apology following a significant data breach earlier this month. The breach stemmed from a compromised Steam test account possessing administrator privileges. This unauthorized access resulted in the compromise of over 66 player accounts.

Security Lapse Detailed

The breach involved a long-standing test account lacking crucial security features like linked phone numbers or addresses. This vulnerability allowed a hacker to successfully impersonate the account holder with minimal information, deceiving Steam support and gaining access. The hacker exploited this access to reset passwords on numerous PoE 1 and PoE 2 accounts, leveraging internal customer support tools. Furthermore, the attacker cleverly deleted password change notifications, concealing their actions from affected players.

Sensitive data accessed included email addresses, Steam IDs, IP addresses, shipping addresses, unlock codes, transaction histories, and private messages. Grinding Gear Games acknowledges the potential misuse of this information and the resulting risk to players.

Enhanced Security Measures Implemented

In response, the developers have implemented several security enhancements, including stricter restrictions on administrator accounts and the prohibition of third-party account linking to staff accounts. They have also significantly tightened IP restrictions. The company expressed deep regret for this security lapse and pledged to take further steps to prevent future incidents.

The community response has been mixed, with some praising the developer's transparency while others advocate for the immediate implementation of two-factor authentication (2FA) for enhanced security. While the addition of 2FA remains pending, players are urged to change their passwords and remain vigilant regarding their account information.