Summary
Grinding Gear Games, the developer behind Path of Exile 2, has confirmed a data breach that occurred during the week of January 6, 2025. The breach stemmed from a compromised developer's admin account, which was linked to an old Steam account used for testing. This unauthorized access led to the exposure of player data, including email addresses, Steam IDs, IP addresses, shipping addresses, and unlock codes.
The breach was initiated when an attacker gained access to a developer's account, which allowed them to utilize tools typically reserved for customer support. Grinding Gear Games quickly responded by locking the compromised account and resetting passwords for all admin accounts. However, the attacker was able to set random passwords on 66 accounts and delete logs due to a bug, which has since been fixed.
While no passwords or password hashes were accessible through the customer service portal, the attacker could potentially use the compromised email addresses to bypass region locking on Steam-linked accounts. Additionally, the attacker viewed transaction and private message histories for some accounts.
In response to the breach, Grinding Gear Games has implemented stricter security measures, including prohibiting the linking of third-party accounts to staff accounts and enforcing more stringent IP restrictions. The community's reaction has been varied, with some commending the transparency of the developers, while others demand the addition of two-factor authentication and improvements in game security and content.
Since its early access release in December 2024, Path of Exile 2 has enjoyed a robust player base, supported by continuous updates and developer communication. A recent patch enhanced performance on PlayStation 5 and addressed issues with monsters, skills, and damage. The next major update is anticipated soon, and the developers have addressed the data breach to reassure players before they dive into the new content.
Grinding Gear Games has updated their official Path of Exile 2 forum with details of the breach, emphasizing their commitment to preventing future incidents and enhancing overall security for both Path of Exile 2 and its predecessor, which share a common account system.
