Path of Exile 2 Developer Addresses Significant Data Breach
Grinding Gear Games, the developer behind Path of Exile, has issued a public apology following a data breach impacting over 66 player accounts. The breach stemmed from a compromised Steam test account with administrative privileges. This article details the events and the steps taken to address the security vulnerability.
Security Lapse Detailed
The breach originated from a compromised Steam account, long-established for testing purposes and lacking crucial security measures like linked phone numbers or addresses. This lack of robust security allowed an attacker to successfully impersonate the account owner to Steam support, gaining access using minimal information (email address, account name, and a VPN masking their location).
The attacker exploited the compromised account to reset passwords on 66 PoE 1 and PoE 2 accounts, cleverly deleting password change notifications to avoid detection. Sensitive data accessed included email addresses, Steam IDs, IP addresses, shipping addresses, unlock codes, transaction histories, and private messages. This information poses a significant risk of further account compromise and misuse.
Enhanced Security Measures Implemented
Grinding Gear Games has responded by implementing enhanced security protocols for administrative accounts. These measures include stricter IP restrictions and a prohibition on linking third-party accounts to staff accounts. The developer acknowledges the security lapse and expresses regret for the incident.
The community response has been mixed, with some praising the developer's transparency while others advocate for the immediate implementation of two-factor authentication (2FA) for enhanced account security. While the future implementation of 2FA remains unclear, players are advised to change their passwords and remain vigilant about their account information.
