Path of Exile 2: Data Breach Confirmed

Summary

• Grinding Gear Games, the developer of Path of Exile 2, confirmed a data breach occurring the week of January 6, 2025.
• The breach stemmed from a compromised developer account linked to Steam.
• Compromised data included player email addresses, Steam IDs, IP addresses, and other information.

Following its December 2024 early access launch, Path of Exile 2 has maintained a strong player base, fueled by consistent updates and developer communication. Recent updates addressed PlayStation 5 performance and various in-game issues. Grinding Gear Games proactively addressed this data breach before the release of the next major patch.

A notice on the official Path of Exile 2 forum detailed the breach, discovered the week of January 6, 2025. A developer's account with website admin access was compromised, granting access to tools used by the customer support team. The account was immediately locked, and all admin accounts underwent forced password resets. Investigation revealed the compromised account was linked to an old, inactive Steam account used for testing, which provided the attacker with sufficient information to gain access. While this Steam account contained no purchase or personal data, access to the developer's Path of Exile account allowed manipulation of other accounts through the developer portal.

Path of Exile 2 Developer Grinding Gear Games Confirms Data Breach Involving Compromised Staff Account

• A "significant number" of accounts were affected, with compromised data including email addresses, Steam IDs, IP addresses, shipping addresses, and unlock codes.

The attacker altered passwords on 66 accounts and exploited a bug to delete logs tracking changes. This bug, affecting only log deletion, has since been fixed. The breach allowed access to account information for a significant number of accounts via the developer portal, exposing the aforementioned data. While passwords and password hashes were not directly accessible, Grinding Gear Games acknowledged the possibility of the attacker using compromised email addresses to bypass regional account restrictions on Steam. Some accounts also had their transaction and private message history (with Grinding Gear Games staff) viewed. To prevent future breaches, third-party account linking to staff accounts has been disabled, and IP restrictions have been significantly tightened.

Player reaction to the breach has been mixed, with some praising the developer's transparency, while others advocate for the implementation of two-factor authentication. Many players also expressed desires for improved security, enhanced in-game content, and adjustments to endgame difficulty.