Path of Exile 2: Data Breach Confirmed

Summary

• Grinding Gear Games, the developer of Path of Exile 2, confirmed a data breach occurring the week of January 6, 2025.
• The breach stemmed from a compromised developer account linked to Steam.
• Compromised data included player email addresses, Steam IDs, IP addresses, and other information.

Following its December 2024 early access launch, Path of Exile 2 has maintained a strong player base, fueled by consistent updates and developer communication. Recent updates improved PlayStation 5 performance and addressed various in-game issues. Grinding Gear Games proactively addressed this data breach before the release of the next major patch.

A notice on the official Path of Exile 2 forum detailed the breach, discovered the week of January 6, 2025. A developer's account with website admin access was compromised, granting access to customer support tools. The account was immediately locked, and all admin accounts underwent forced password resets. Investigation revealed the compromised account was linked to an old Steam account used for testing, facilitating access to the developer's Path of Exile account. While the Steam account contained no personal information, access to the developer portal allowed the attacker to view information from other accounts.

Path of Exile 2 Developer Grinding Gear Games Confirms Data Breach Involving Compromised Staff Account

• A "significant number" of accounts were affected, with compromised data including email addresses, Steam IDs, IP addresses, shipping addresses, and unlock codes.

The attacker altered passwords on 66 accounts and exploited a bug to delete logs of their actions. This bug, since patched, only affected log deletion and not other support functions. The breach allowed access to account information via the developer portal, exposing email addresses, Steam IDs, IP addresses, shipping addresses, and unlock codes. While passwords themselves were not directly accessible, the attacker potentially used compromised email addresses to bypass regional restrictions on Steam-linked accounts. Some accounts also had their transaction and private message histories accessed. To prevent future breaches, third-party account linking to staff accounts is prohibited, and IP restrictions have been significantly strengthened.

Player reaction to the breach has been mixed. While some praised the developer's transparency, others called for two-factor authentication and further security improvements. Many players also expressed desires for additional security measures, improved in-game content, and endgame difficulty adjustments.