Path of Exile 2 Developer Addresses Major Data Breach
Grinding Gear Games, the developer behind Path of Exile, has issued a public apology following a significant data breach earlier this month. The breach stemmed from a compromised Steam test account with administrator privileges. This compromised account allowed unauthorized access to over 66 player accounts.
Security Lapse Detailed
The breach involved a long-standing test account lacking crucial security features like linked phone numbers or addresses. This vulnerability allowed a hacker, using minimal identifying information (email address, account name, and a VPN to mask location), to successfully impersonate the account holder and gain access via Steam support.
The hacker exploited the account's admin access to reset passwords on numerous PoE 1 and PoE 2 accounts. Further, the attacker cleverly deleted password change notifications, preventing affected players from immediately recognizing the breach. Sensitive data accessed included email addresses, Steam IDs, IP addresses, shipping addresses, unlock codes, transaction histories, and private messages.
Grinding Gear Games acknowledged the severity of the situation and outlined steps taken to prevent future incidents. These include enhanced security protocols around admin accounts, prohibiting third-party account linking to staff accounts, and implementing stricter IP restrictions.
Community Response and Future Security
The developer's transparent response has been met with a mixed reaction from the community. While some players appreciate the honesty, many are calling for the immediate implementation of two-factor authentication (2FA) to bolster account security. Players are advised to change their passwords and remain vigilant about their account information. The future implementation of 2FA remains to be seen, but it is a highly requested security measure.
