Path of Exile 2 Confirms Data Breach

Summary

• Grinding Gear Games, the developer of Path of Exile 2, confirmed a data breach occurring the week of January 6, 2025.
• The breach stemmed from a compromised developer account linked to Steam.
• Compromised data included player email addresses, Steam IDs, IP addresses, and other information.

Following its December 2024 early access launch, Path of Exile 2 has enjoyed a robust player base, fueled by consistent updates and developer communication. Recent updates addressed PlayStation 5 performance and various in-game issues. Grinding Gear Games proactively addressed this data breach prior to the release of the next major patch.

Grinding Gear Games' official Path of Exile 2 forum announced the breach discovered the week of January 6, 2025. A developer's admin account was compromised, granting access to customer support tools. The account was immediately locked, and all admin accounts underwent mandatory password resets. Investigation revealed the compromised account was linked to an old, inactive Steam account used for testing. While this Steam account contained no personal or purchase information, access to the developer's Path of Exile account allowed the attacker to potentially affect other accounts via the developer portal.

Path of Exile 2 Developer Grinding Gear Games Confirms Data Breach Involving Compromised Staff Account

• A "significant number" of accounts were affected, with compromised data including email addresses, Steam IDs, IP addresses, shipping addresses, and unlock codes.

The attacker altered passwords on 66 accounts and exploited a bug to delete logs detailing these changes. This bug, affecting only log deletion, has been fixed. The breach allowed access to account information for a significant number of accounts on the developer portal. This included email addresses, Steam IDs, IP addresses, shipping addresses, and unlock codes. While passwords and password hashes were not directly accessible, the attacker might have attempted to use compromised email addresses with password lists from other breaches to circumvent regional account restrictions. For some accounts, transaction and private message histories with Grinding Gear Games staff were also viewed. To prevent future breaches, third-party account linking to staff accounts has been disabled, and IP restrictions have been significantly strengthened.

Community reaction has been mixed, with some praising the developer's transparency while others advocate for two-factor authentication. Many players also expressed desires for improved security, additional in-game content, and endgame difficulty adjustments.