Data Breach Confirmed for Path of Exile 2

Summary

• Path of Exile 2 developer Grinding Gear Games has confirmed a data breach that occurred during the week of January 6, 2025, resulting from a compromised developer's account linked to Steam.
• The breach exposed player email addresses, Steam IDs, IP addresses, and other sensitive information.

Grinding Gear Games has officially acknowledged a data breach in Path of Exile 2, which stemmed from unauthorized access to a developer's admin account. This account was connected to Steam, leading to the compromise of crucial player data. In response, the developers are taking immediate steps to bolster the security of their admin accounts, aiming to prevent future breaches in both Path of Exile 2 and its predecessor, which share a common login system.

Since its early access launch in December 2024, Path of Exile 2 has enjoyed a robust player community, sustained by regular updates and open communication from Grinding Gear Games. A recent update enhanced the game's performance on PlayStation 5 and addressed issues related to monsters, skills, and damage. As the next major patch approaches, the developers have been proactive in informing players about the data breach before they dive into the new content.

The official Path of Exile 2 forum was updated with a notice detailing the breach, which was discovered on the week of January 6, 2025. The compromised account, belonging to a developer, granted access to customer support tools. The developers swiftly locked the account and enforced password resets for all admin accounts. Further investigation revealed that the breach originated from an old Steam account used for testing, which inadvertently provided enough data for the attacker to gain control of the Path of Exile account. Despite the Steam account lacking personal information, it facilitated access to the developer's Path of Exile account, enabling manipulation of other accounts through the developer portal.

Path of Exile 2 Developer Grinding Gear Games Confirms Data Breach Involving Compromised Staff Account

• The breach affected a "significant number" of accounts, compromising email addresses, Steam IDs, IP addresses, shipping addresses, and unlock codes.

The attacker managed to set random passwords on 66 accounts and exploited a bug to delete logs of changes. Although this bug has since been fixed, it allowed the attacker to view sensitive account information on the developer portal. While passwords and password hashes remained secure, the attacker could potentially use email addresses to bypass region locking on Steam-linked Path of Exile 2 accounts by cross-referencing with compromised password lists from other sites. For some accounts, the attacker accessed transaction and private message histories with Grinding Gear Games staff. To mitigate future risks, the company has prohibited linking third-party accounts to staff accounts and implemented stricter IP restrictions.

The community's reaction to the breach has been varied. Some players appreciate the transparency from the developers, while others advocate for the addition of two-factor authentication to Path of Exile 2 accounts. There is a clear demand for enhanced security measures, as well as requests for improvements in in-game content and adjustments to the game's endgame difficulty.