Path of Exile 2 Developer, Grinding Gear Games, Addresses Data Breach
Grinding Gear Games recently disclosed a data breach affecting Path of Exile 2 players. The breach, discovered the week of January 6th, 2025, stemmed from a compromised developer account linked to Steam.
The Breach: A malicious actor gained unauthorized access to a developer's admin account, granting them access to sensitive player data. This compromised information included email addresses, Steam IDs, IP addresses, and for a significant number of accounts, shipping addresses and unlock codes. While passwords themselves were not directly accessible, the potential for the attacker to leverage compromised email addresses against known password lists to circumvent regional account restrictions exists. In some cases, transaction and private message histories were also viewed.
Grinding Gear Games' Response: The developer immediately took action, locking the compromised account and initiating mandatory password resets for all admin accounts. A subsequent investigation revealed the breach originated from an old, test-only Steam account linked to the developer's Path of Exile account. The company has since implemented enhanced security measures, including the removal of third-party account linking for staff accounts and significantly stricter IP restrictions. A bug allowing the deletion of relevant logs has also been patched.
Player Reaction: Community response has been varied. While some commend Grinding Gear Games' transparency, others advocate for the implementation of two-factor authentication for player accounts. Concerns regarding overall account security and game content, including endgame difficulty adjustments, have also been raised.
Key Takeaways: This incident highlights the importance of robust security measures, even for internal accounts. Grinding Gear Games' swift response and commitment to improved security are noteworthy, but the incident underscores the ongoing need for enhanced security protocols within the gaming industry.
