PoE 2 Data Breach Confirmed

Path of Exile 2 Developer, Grinding Gear Games, Addresses Data Breach

Grinding Gear Games recently disclosed a data breach affecting Path of Exile 2 players. The breach, discovered the week of January 6th, 2025, stemmed from a compromised developer account linked to Steam. This unauthorized access exposed sensitive player data.

Compromised Information:

A significant number of accounts were impacted, with the breach exposing email addresses, Steam IDs, IP addresses, and in some cases, shipping addresses and unlock codes. While passwords and password hashes were not directly accessible, the potential for the attacker to use compromised email addresses to access accounts via other means remains a concern. Some accounts also had their transaction and private message histories viewed.

The Breach's Origin:

The breach originated from a compromised developer account used for testing purposes. This account, linked to an older Steam account (containing no financial or personal information), provided the attacker with sufficient access to the developer portal.

Grinding Gear Games' Response:

Following the discovery, Grinding Gear Games immediately took action:

• The compromised account was locked.
• All admin accounts were forced to reset their passwords.
• A bug allowing the deletion of relevant logs was identified and fixed.
• Third-party account linking to staff accounts has been disabled.
• IP restrictions have been significantly tightened.

Community Reaction and Future Steps:

Player responses have been varied, with some commending the developer's transparency while others advocate for the implementation of two-factor authentication. The incident highlights the need for enhanced security measures, a sentiment echoed by many players alongside requests for improvements to in-game content and endgame difficulty.