Path of Exile 2 Developer Confirms Data Breach Following Compromised Staff Account
Grinding Gear Games, the developer behind Path of Exile 2, has confirmed a data breach impacting a significant number of player accounts. The breach, discovered the week of January 6th, 2025, stemmed from a compromised developer account linked to Steam.
Breach Details: The unauthorized access granted the attacker access to the developer portal, resulting in the exposure of sensitive player data. This compromised information includes email addresses, Steam IDs, IP addresses, shipping addresses, and unlock codes for a substantial number of accounts. While passwords and password hashes were not directly accessible, the risk of credential stuffing remains a concern. In some cases, transaction and private message histories were also viewed.
Immediate Actions Taken: Grinding Gear Games swiftly responded by locking the compromised account, implementing mandatory password resets for all admin accounts, and patching a bug that allowed the deletion of activity logs. Further investigation revealed the compromised account was linked to an old, inactive Steam account used for testing purposes.
Enhanced Security Measures: To prevent future incidents, Grinding Gear Games has implemented stricter security protocols. These include eliminating the ability to link third-party accounts to staff accounts and imposing significantly more stringent IP restrictions.
Community Response: Player reactions have been varied, with some commending the developer's transparency while others advocate for the implementation of two-factor authentication (2FA) for enhanced account security. Calls for improved security measures and adjustments to endgame difficulty and content are also prevalent within the community.
Summary of Compromised Data:
- Email addresses
- Steam IDs
- IP addresses
- Shipping addresses
- Unlock codes
- (In some cases) Transaction history
- (In some cases) Private messages with Grinding Gear Games staff
The incident highlights the importance of robust security practices within game development and the ongoing need for developers to prioritize player data protection.
