Path of Exile 2 Developer Addresses Major Data Breach
Grinding Gear Games, the developer behind Path of Exile, has issued a public apology following a significant data breach earlier this month. The breach stemmed from a compromised Steam test account possessing administrator privileges. This compromised account allowed unauthorized access to over 66 player accounts.
Security Lapse Detailed
The breach occurred when a hacker gained control of an older test account. This account, lacking typical security measures like linked phone numbers or addresses, was easily compromised through Steam support impersonation. Using minimal information (email, account name, and a VPN to mask location), the hacker successfully obtained access.
The hacker leveraged internal support tools to reset passwords on numerous PoE 1 and PoE 2 accounts. Further, they cleverly deleted password change notifications, concealing their actions from affected users. The compromised data included sensitive information like email addresses, Steam IDs, IP addresses, shipping addresses, unlock codes, transaction histories, and private messages.
This data poses a significant risk to affected players, potentially enabling the attacker to compromise other online accounts.
Enhanced Security Measures Implemented
Grinding Gear Games has responded by implementing stricter security protocols for administrator accounts. These measures include eliminating third-party account linking and implementing more robust IP restrictions. The developer acknowledges the security lapse and expresses deep regret for the incident.
The community response has been mixed, with some praising the developer's transparency while others advocate for the immediate implementation of two-factor authentication (2FA) to prevent future breaches. While the addition of 2FA remains pending, players are urged to change their passwords and remain vigilant regarding their account security.
