Summary
- Grinding Gear Games, the developer of Path of Exile 2, confirmed a data breach occurring the week of January 6, 2025.
- The breach stemmed from a compromised developer account linked to Steam.
- Compromised data included player email addresses, Steam IDs, IP addresses, and other information.
Grinding Gear Games confirmed a data breach affecting Path of Exile 2 due to a compromised developer admin account. The developers outlined steps to enhance admin account security, preventing future breaches across both Path of Exile and Path of Exile 2, which share a single account login.
Following its December 2024 early access launch, Path of Exile 2 boasts a strong player base, fueled by consistent updates and developer communication. Recent updates improved PlayStation 5 performance and addressed various issues concerning monsters, skills, and damage. Addressing the data breach proactively precedes the release of Path of Exile 2's next major patch.
Grinding Gear Games' official Path of Exile 2 forum detailed the breach, discovered the week of January 6, 2025. A developer's website admin account was compromised, granting access to tools normally used by the customer support team. The account was immediately locked, and all admin accounts underwent mandatory password resets. Investigation revealed the compromised account was linked to an old, test-only Steam account, providing the attacker sufficient information for account takeover. While the Steam account lacked personal or purchase information, access to the developer's Path of Exile account allowed manipulation of other accounts via the developer portal.
Path of Exile 2 Developer Grinding Gear Games Confirms Data Breach Involving Compromised Staff Account
- The breach impacted a "significant number" of accounts, compromising email addresses, Steam IDs, IP addresses, shipping addresses, and unlock codes.
The attacker randomly reset passwords on 66 accounts and exploited a bug to delete logs tracking changes. Grinding Gear Games confirmed this bug, affecting only log deletion, is now fixed. The breach allowed access to account information for a significant number of accounts on the developer portal, exposing email addresses, Steam IDs, IP addresses, shipping addresses, and unlock codes.
While passwords and password hashes remained inaccessible via the customer service portal, Grinding Gear Games acknowledged the possibility of the attacker cross-referencing email addresses with leaked password lists from other websites to bypass regional account restrictions on Steam. For some accounts, the attacker accessed transaction history and private messages between players and Grinding Gear Games staff. To prevent recurrence, third-party account linking to staff accounts is prohibited, and IP restrictions are significantly stricter.
Community reaction is mixed; some praise the developers' transparency, while others demand two-factor authentication for Path of Exile 2 accounts. Many players also seek improved security, enhanced in-game content, and endgame difficulty adjustments.
