Path of Exile 2 Developer, Grinding Gear Games, Addresses Data Breach
Grinding Gear Games recently disclosed a data breach affecting Path of Exile 2 accounts. The breach, discovered the week of January 6th, 2025, stemmed from a compromised developer account linked to Steam. This unauthorized access granted the perpetrator access to tools used by the customer support team.
The compromised data included a significant number of player accounts, revealing email addresses, Steam IDs, IP addresses, and in some cases, shipping addresses and unlock codes. While passwords and password hashes were not directly accessible, the risk of credential stuffing remains a concern. The attacker also altered passwords on 66 accounts and exploited a bug to delete relevant logs, though this bug has since been patched. For a subset of affected accounts, the attacker viewed transaction and private message history.
In response, Grinding Gear Games immediately secured the compromised account, implemented mandatory password resets for all admin accounts, and enhanced security measures. These include eliminating the linking of third-party accounts to staff accounts and implementing stricter IP restrictions.
Player reaction has been varied, with some appreciating the developer's transparency, while others advocate for the implementation of two-factor authentication. Many also express desires for enhanced security features and further improvements to in-game content and endgame difficulty.
