Path of Exile 2 Developer Addresses Significant Data Breach
Grinding Gear Games, the studio behind Path of Exile, has issued a public apology following a data breach impacting over 66 player accounts. The breach stemmed from a compromised Steam test account possessing administrator privileges. This detailed account of the incident and subsequent security enhancements follows.
Security Lapse and its Impact
A hacker exploited a long-standing, unsecured test Steam account. Lacking typical security measures like linked phone numbers or addresses, the attacker successfully impersonated the account holder to gain access via Steam support. Using internal support tools, the perpetrator reset passwords on numerous PoE 1 and PoE 2 accounts. Further, the attacker cleverly deleted password change notifications, concealing their actions from affected players.
The compromised accounts' sensitive data, including email addresses, Steam IDs, IP addresses, shipping addresses, unlock codes, transaction histories, and private messages, were accessed. This data poses a significant risk of misuse for malicious purposes.
Enhanced Security Measures and Player Response
Grinding Gear Games has responded by implementing stricter security protocols for administrator accounts. Third-party account linking to staff accounts is now prohibited, and significantly more robust IP restrictions have been put in place.
The developer's transparency has been largely praised by the community, though many players are urging the implementation of two-factor authentication (2FA) for enhanced account security. While the timeline for 2FA remains unannounced, players are advised to change their passwords and remain vigilant about their account information. The initial breach serves as a stark reminder of the importance of robust security practices across all online platforms.
