Path of Exile 2 Developer Addresses Major Data Breach
Grinding Gear Games, the developer behind Path of Exile, has issued a public apology following a significant data breach earlier this month. The breach stemmed from a compromised Steam test account possessing administrator privileges. This compromised account allowed access to and modification of over 66 player accounts across PoE 1 and PoE 2.
The attacker exploited vulnerabilities in the system, successfully resetting passwords on numerous accounts using tools intended for customer support. The compromised admin account, created for testing purposes, lacked crucial security measures like linked phone numbers or addresses, making it easier for the attacker to gain unauthorized access by impersonating the legitimate user. This impersonation was achieved using only basic account information and a VPN to mask their location.
Further compounding the issue, the attacker deleted password change notifications, concealing their actions and preventing affected players from immediate awareness. The breach resulted in the exposure of sensitive personal data, including email addresses, Steam IDs, IP addresses, shipping addresses, unlock codes, transaction histories, and private messages.
Grinding Gear Games has acknowledged the security lapse and outlined steps taken to prevent future occurrences. These include enhanced security protocols for admin accounts, prohibiting third-party account linking to staff accounts, and implementing stricter IP restrictions. The company expressed deep regret for the incident.
The community response has been mixed, with some praising the developer's transparency while others advocate for the immediate implementation of two-factor authentication (2FA) to bolster account security. Players are urged to change their passwords and remain vigilant regarding their account information. While the addition of 2FA remains pending, proactive measures by players are recommended.
