Data Breach Confirmed for Path of Exile 2

Summary

• Path of Exile 2 developer Grinding Gear Games confirmed a data breach occurred during the week of January 6, 2025, resulting from unauthorized access to a developer's admin account linked to Steam.
• The breach compromised sensitive information including email addresses, Steam IDs, IP addresses, shipping addresses, and unlock codes for a significant number of accounts.

Grinding Gear Games disclosed that a data breach in Path of Exile 2 was caused by a compromised developer's admin account. The developers have taken immediate steps to enhance the security of their admin accounts and prevent future breaches in both Path of Exile 2 and its predecessor, which share a common login system.

Since its early access release in December 2024, Path of Exile 2 has maintained a robust player base, supported by continuous updates and developer communication. A recent update enhanced the game's performance on PlayStation 5 and addressed issues with monsters, skills, and damage. As the next major patch approaches, Grinding Gear Games addressed the data breach to keep players informed before they dive into new content.

The official Path of Exile 2 forum was updated with a notice detailing the breach, which occurred when an account with admin access, owned by a developer, was compromised. This gave the unauthorized user access to customer support tools. The developers quickly locked the compromised account and enforced password resets across all admin accounts. Investigations revealed that the breach stemmed from an old Steam account used for testing, which was linked to the developer's Path of Exile account. Although the Steam account had no personal information, its link to the developer's account allowed the attacker to impact other accounts through the developer portal.

• Path of Exile 2 Developer Grinding Gear Games Confirms Data Breach Involving Compromised Staff Account
  • The breach affected a significant number of accounts, compromising email addresses, Steam IDs, IP addresses, shipping addresses, and unlock codes.
  • The attacker manipulated 66 accounts by setting random passwords and exploited a bug to delete logs, which has since been fixed. However, no passwords or password hashes were accessible through the customer service portal.

Grinding Gear Games noted that the attacker could potentially use compromised email addresses to bypass region locking on Steam-linked accounts by comparing them against lists of compromised passwords from other sites. The breach also allowed access to transaction and private message histories for some accounts. To mitigate future risks, the developers have prohibited linking third-party accounts to staff accounts and implemented stricter IP restrictions.

The community's reaction to the breach has been varied. While some players appreciate the transparency, others demand the implementation of two-factor authentication for Path of Exile 2 accounts. Many in the player base are also looking forward to enhancements in security, in-game content, and adjustments to the endgame difficulty of Path of Exile 2.