Path of Exile 2: Data Breach Confirmed

Summary

• Grinding Gear Games, the developer of Path of Exile 2, confirmed a data breach occurring the week of January 6, 2025.
• The breach stemmed from a compromised developer account linked to Steam.
• Compromised data included player email addresses, Steam IDs, IP addresses, and other information.

Grinding Gear Games confirmed a data breach affecting Path of Exile 2 following the compromise of a developer's administrative account. The developers outlined steps to enhance the security of their administrative accounts, preventing future breaches across both Path of Exile 2 and its predecessor (which share a single account login).

Since its early access launch in December 2024, Path of Exile 2 has maintained a strong player base, fueled by consistent updates and developer communication. Recent updates included PlayStation 5 performance improvements and bug fixes related to monsters, skills, and damage. Addressing the data breach proactively precedes the release of Path of Exile 2's next major patch.

Grinding Gear Games' official Path of Exile 2 forum posted a notice detailing the breach discovered the week of January 6, 2025. A developer's website admin account was compromised, granting access to tools normally used by the customer support team. The account was immediately locked, and all other admin accounts underwent forced password resets. Investigation revealed the compromised account was linked to an old, test-only Steam account, providing the attacker sufficient information for account takeover. While this Steam account lacked purchase or personal data, access to the developer's Path of Exile account allowed manipulation of other accounts via the developer portal.

Path of Exile 2 Developer Grinding Gear Games Confirms Data Breach Involving Compromised Staff Account

• The breach affected a "significant number" of accounts, compromising email addresses, Steam IDs, IP addresses, shipping addresses, and unlock codes.

The attacker randomly reset passwords on 66 accounts, exploiting a bug to delete logs tracking these changes. Grinding Gear Games confirmed this bug was unique to this action and has been patched. The breach allowed viewing of account information for a "significant number" of accounts on the developer portal, exposing email addresses, Steam IDs, IP addresses, shipping addresses, and unlock codes.

While passwords and password hashes weren't directly accessible, Grinding Gear Games acknowledged the possibility of the attacker cross-referencing email addresses with compromised password lists from other sources to circumvent region locking for Steam-linked Path of Exile 2 accounts. For some accounts, the attacker accessed transaction and private message history with Grinding Gear Games staff. To prevent recurrence, third-party account linking to staff accounts is prohibited, and significantly stricter IP restrictions are now in place.

Community reaction has been mixed, with some praising the developers' transparency, while others advocate for two-factor authentication. A significant portion of the player base desires improved security, along with enhancements to in-game content and endgame difficulty adjustments.