"Path of Exile 2 Confirms Data Breach Incident"

Summary

• Path of Exile 2 developer Grinding Gear Games confirmed a data breach occurred during the week of January 6, 2025, caused by a user accessing a developer's Steam-linked account.
• The breach compromised player email addresses, Steam IDs, IP addresses, and other sensitive information.

Grinding Gear Games has acknowledged a data breach in Path of Exile 2, resulting from an unauthorized user gaining access to a developer's administrative account. This account was linked to Steam, which led to the exposure of player data including email addresses, Steam IDs, IP addresses, and other personal details. In response, the developers are taking immediate steps to enhance the security of their administrative accounts to prevent future incidents in both Path of Exile 2 and its predecessor, which share a common login system.

Since its early access launch in December 2024, Path of Exile 2 has maintained a strong player base, bolstered by consistent updates and active developer communication. A recent update notably improved performance on the PlayStation 5 and addressed various gameplay issues. As the next major patch approaches, Grinding Gear Games has prioritized addressing the data breach to ensure player safety before the new content is released.

The developers updated the official Path of Exile 2 forum, revealing they discovered the breach during the week of January 6, 2025. The compromised account, belonging to a developer, provided the unauthorized user access to customer support tools. The developers swiftly locked the account and enforced password resets for all other admin accounts. Further investigation revealed the breach stemmed from an old Steam account used for testing, which inadvertently linked to the developer's Path of Exile account.

Path of Exile 2 Developer Grinding Gear Games Confirms Data Breach Involving Compromised Staff Account

• The breach affected a "significant number" of accounts, compromising email addresses, Steam IDs, IP addresses, shipping addresses, and unlock codes.

The attacker managed to set random passwords for 66 accounts and exploited a bug to delete logs tracking changes. Although this bug has been fixed, it allowed the attacker to view sensitive account information through the developer portal. Importantly, no passwords or password hashes were accessible through the customer service portal. However, the attacker could potentially use compromised email addresses to bypass region locks on Steam-linked accounts. Some affected accounts also had their transaction and private message histories viewed.

To mitigate future risks, Grinding Gear Games has prohibited linking third-party accounts to staff accounts and implemented stricter IP restrictions.

The community's reaction to the breach has been varied. While some players appreciate the transparency, others advocate for the implementation of two-factor authentication for Path of Exile 2 accounts. There's a clear demand for enhanced security measures, alongside requests for improvements in in-game content and adjustments to the game's endgame difficulty.