Path of Exile Developer Addresses Major Data Breach

Grinding Gear Games, the developer behind Path of Exile, has issued a public apology following a significant data breach affecting over 66 accounts. The breach stemmed from a compromised Steam test account with administrative privileges. This article details the incident and the steps taken to prevent future occurrences.

A compromised Steam account, used for internal testing and lacking robust security measures (no linked phone number, address, or purchase history), was exploited. The attacker successfully impersonated the account holder to Steam support, gaining access using minimal information (email, account name, and a VPN to mask location).

The attacker then used internal support tools to reset passwords on 66 Path of Exile accounts (both PoE 1 and PoE 2). Further, they cleverly deleted password change notifications, concealing their actions from affected users. The breach exposed sensitive data, including email addresses, Steam IDs, IP addresses, shipping addresses, unlock codes, transaction histories, and private messages.

Grinding Gear Games has acknowledged the security lapse and implemented several corrective measures. These include enhanced security protocols for administrative accounts, prohibiting third-party account linking to staff accounts, and implementing stricter IP restrictions.

The community response has been mixed, with some praising the developer’s transparency while others advocate for the immediate implementation of two-factor authentication (2FA). While the developer has committed to further security improvements, players are urged to change their passwords and remain vigilant about their account security.