Path of Exile 2 Confirms Data Breach

Summary

• Grinding Gear Games, the developer of Path of Exile 2, confirmed a data breach occurring the week of January 6, 2025.
• The breach stemmed from a compromised developer account linked to Steam.
• Compromised data included player email addresses, Steam IDs, IP addresses, and other information.

Grinding Gear Games acknowledged a data breach affecting Path of Exile 2, resulting from a compromised developer admin account. The developers detailed subsequent steps to enhance admin account security and prevent future breaches across both Path of Exile 2 and its predecessor (which share a single account login).

Since its December 2024 early access launch, Path of Exile 2 has maintained a robust player base, fueled by consistent updates and developer communication. Recent updates addressed PlayStation 5 performance and various in-game issues (monsters, skills, damage). Grinding Gear Games proactively addressed the data breach ahead of the upcoming major patch release.

A notice on the official Path of Exile 2 forum confirmed Grinding Gear Games' awareness of the breach the week of January 6, 2025. A developer's website admin account was compromised, granting access to tools normally used by Path of Exile 2's customer support team. The account was immediately locked, and all other admin accounts were forced to reset their passwords. Investigation revealed the compromised account was linked to an old, test-only Steam account, providing the attacker sufficient information for account takeover. While this Steam account lacked purchase or personal information, access to the developer's Path of Exile account allowed manipulation of other accounts via the developer portal.

Path of Exile 2 Developer Grinding Gear Games Confirms Data Breach Involving Compromised Staff Account

• A "significant number" of accounts were affected, with compromised data including email addresses, Steam IDs, IP addresses, shipping addresses, and unlock codes.

The attacker randomly reset passwords on 66 accounts and exploited a bug to delete logs tracking changes. Grinding Gear Games confirmed this bug, affecting only log deletion, has been fixed. The breach allowed the attacker to view account information (email addresses, Steam IDs, IP addresses, shipping addresses, and unlock codes) on the developer portal. While passwords and password hashes were inaccessible via the customer service portal, Grinding Gear Games acknowledged the possibility of the attacker using compromised email addresses to bypass regional account restrictions on Steam. For some accounts, the attacker accessed transaction and private message history with Grinding Gear Games staff. To prevent recurrence, third-party account linking to staff accounts is prohibited, and IP restrictions are significantly stricter.

Community reaction to the breach is mixed. Some players commended the developers' transparency, while others advocated for two-factor authentication for Path of Exile 2 accounts. A significant portion of the player base desires improved security, enhanced in-game content, and endgame difficulty adjustments in Path of Exile 2.