"Path of Exile 2 Data Breach Confirmed"

Summary

• Path of Exile 2 developer Grinding Gear Games has confirmed a data breach that occurred during the week of January 6, 2025.
• The breach was initiated by an unauthorized user gaining access to a developer's account, which was linked to Steam.
• The compromised data includes player email addresses, Steam IDs, IP addresses, shipping addresses, and unlock codes.

Grinding Gear Games has acknowledged that Path of Exile 2 suffered a data breach after an admin account belonging to one of their developers was compromised. In response, the developers have outlined plans to enhance the security of their admin accounts to prevent future breaches in both Path of Exile 2 and its predecessor, which share a common login system.

Since its early access launch in December 2024, Path of Exile 2 has enjoyed a robust player base, supported by regular updates and clear communication from Grinding Gear Games. A recent update enhanced the game's performance on the PlayStation 5, addressing issues with monsters, skills, and damage. The next major patch is on the horizon, and the developers have addressed the data breach issue before players dive into the new content.

The official Path of Exile 2 forum was updated with a notice from the developers, confirming the data breach discovery during the week of January 6, 2025. The compromised account had admin access to the website, typically used by the customer support team. Upon discovery, the developers immediately secured the account and enforced password resets for all other admin accounts. Further investigation revealed that the breach occurred through an old Steam account used for testing, which provided the attacker with enough information to hijack the developer's Path of Exile account. Although the Steam account itself contained no personal information, the access to the developer's account allowed manipulation of other accounts via the developer portal.

Path of Exile 2 Developer Grinding Gear Games Confirms Data Breach Involving Compromised Staff Account

• The breach affected a "significant number" of accounts, compromising email addresses, Steam IDs, IP addresses, shipping addresses, and unlock codes.

The attacker managed to set random passwords on 66 accounts and exploited a bug to delete logs tracking changes. Grinding Gear Games has since fixed this bug, but not before the attacker accessed account information through the developer portal. While passwords and password hashes were not directly accessible, the attacker could potentially use email addresses to bypass region locking on Steam-linked accounts by comparing them against lists of compromised passwords from other sites. The breach also allowed the attacker to view transaction and private message histories with Grinding Gear Games staff. To mitigate future risks, the company has implemented stricter IP restrictions and prohibited linking third-party accounts to staff accounts.

The community's reaction to the breach has been varied. Some players appreciate the transparency from Grinding Gear Games, while others advocate for the addition of two-factor authentication to Path of Exile 2 accounts. There is a clear demand from a significant portion of the player base for enhanced security measures, alongside requests for improvements in in-game content and adjustments to the endgame difficulty in Path of Exile 2.