Path of Exile 2 Apologizes for Major Data Breach

Path of Exile developer, Grinding Gear Games, has issued a sincere apology for a recent security breach stemming from a compromised test Steam account with administrator privileges. This incident affected over 66 accounts. Read on for details of the breach and the steps taken to address it.

Over 66 Accounts Compromised

Enhanced Security Measures Promised

Grinding Gear Games' official PoE forum post, "Data Breach Notification," details the breach. A hacker compromised a Steam account with administrative access to Path of Exile. Using customer support tools, the hacker reset passwords on 66 PoE 1 and PoE 2 accounts. This was possible because the compromised admin account—an older test account—lacked linked purchases, phone numbers, or addresses. The attacker successfully impersonated the account owner to Steam support using minimal information (email address, account name) and a VPN to mask their location.

The hacker also deleted password change notifications, concealing their actions. Access to sensitive data—including email addresses, Steam IDs, IP addresses, shipping addresses, unlock codes, transaction histories, and private messages—was gained. This data poses a significant risk to affected users.

Grinding Gear Games states that improved security measures are now in place for admin accounts, preventing future occurrences. Third-party account linking to staff accounts is prohibited, and stricter IP restrictions have been implemented. The company acknowledges the security lapse and pledges further improvements to prevent similar incidents.

Community response has been mixed, with praise for the developer's transparency alongside calls for two-factor authentication (2FA) to enhance account security. While the implementation of 2FA remains pending, players are urged to change their passwords and remain vigilant about their account information.