Summary
- Grinding Gear Games, the developer of Path of Exile 2, confirmed a data breach occurring the week of January 6, 2025.
- The breach stemmed from a compromised developer account linked to Steam.
- Compromised data included player email addresses, Steam IDs, IP addresses, and other information.
Grinding Gear Games acknowledged a data breach affecting Path of Exile 2 resulting from a compromised developer admin account. The developers outlined steps to enhance admin account security, preventing future breaches across both Path of Exile 2 and its predecessor (which share a single account login).
Since its December 2024 early access launch, Path of Exile 2 has maintained a strong player base, fueled by consistent updates and developer communication. Recent updates improved PlayStation 5 performance and addressed various issues impacting monsters, skills, and damage. Addressing this data breach proactively precedes the release of Path of Exile 2's next major patch.
Grinding Gear Games' official Path of Exile 2 forum announced the data breach discovered the week of January 6, 2025. A developer's website admin account was compromised, granting access to tools normally used by the customer support team. The account was immediately locked, and all other admin accounts were forced to reset their passwords. Investigation revealed the compromised account was linked to an old, test-only Steam account, providing the attacker with sufficient information to gain access. While this Steam account lacked personal or purchase information, access to the developer's Path of Exile account allowed the attacker to manipulate other accounts through the developer portal.
Path of Exile 2 Developer Grinding Gear Games Confirms Data Breach Involving Compromised Staff Account
- A "significant number" of accounts were affected, with compromised data including email addresses, Steam IDs, IP addresses, shipping addresses, and unlock codes.
The attacker randomly changed passwords on 66 accounts, exploiting a bug to delete logs tracking these changes. Grinding Gear Games confirmed this bug, affecting only log deletion, has been fixed. The breach allowed the attacker to view account information for a significant number of accounts on the developer portal, exposing email addresses, Steam IDs, IP addresses, shipping addresses, and unlock codes.
While passwords and password hashes were inaccessible through the customer service portal, Grinding Gear Games acknowledged the possibility of the attacker cross-referencing email addresses with compromised password lists from other websites to circumvent region locking for Steam-linked Path of Exile 2 accounts. For some accounts, the attacker accessed transaction and private message histories with Grinding Gear Games staff. To prevent future breaches, third-party account linking to staff accounts is prohibited, and significantly stricter IP restrictions are now in place.
Community reaction to the breach is mixed, with some players praising the developers' transparency, while others advocate for two-factor authentication. A notable segment of the player base desires improved security, enhanced in-game content, and adjustments to Path of Exile 2's endgame difficulty.
![Taffy Tales [v1.07.3a]](https://imgs.xfsxw.com/uploads/32/1719554710667e529623764.jpg)
