PoE2 Data Breach Acknowledged

Path of Exile 2 Developer Acknowledges Data Breach Affecting Player Information

Grinding Gear Games, the developer behind Path of Exile 2, has confirmed a data breach that occurred during the week of January 6, 2025. The breach stemmed from a compromised developer account linked to Steam.

Compromised Data: A significant number of player accounts were affected, with the breach exposing email addresses, Steam IDs, IP addresses, shipping addresses, and unlock codes. While passwords and password hashes were not directly accessible, the risk of credential stuffing remains a concern. In some cases, transaction and private message histories were also viewed.

Breach Details: The breach originated from a compromised developer account used for testing purposes. This account provided access to the developer portal, allowing the attacker to view sensitive player data. The attacker also exploited a bug to delete logs, hindering the investigation. This bug has since been patched. Furthermore, 66 accounts had their passwords arbitrarily changed.

Security Enhancements: In response to the breach, Grinding Gear Games has implemented several security measures, including the removal of third-party account linking for staff accounts and significantly stricter IP restrictions.

Community Reaction: Player reactions have been varied, with some commending the developer's transparency while others advocate for the implementation of two-factor authentication. Many players also expressed desire for improved security protocols and further game content adjustments.

Timeline: The breach was discovered and addressed promptly, with affected accounts secured and password resets enforced. The developer is actively working to prevent future incidents. This incident highlights the importance of robust security practices in online gaming.