Path of Exile 2 Confirms Data Breach

Summary

• Path of Exile 2 developer Grinding Gear Games confirms a data breach occurred during the week of January 6, 2025.
• The breach was initiated by a user who accessed a developer's account linked to Steam.
• Compromised data includes player email addresses, Steam IDs, IP addresses, and other personal information.

Grinding Gear Games has confirmed a data breach in Path of Exile 2, resulting from a compromised developer's admin account linked to Steam. The developers are taking steps to enhance the security of their admin accounts to prevent future breaches in both Path of Exile 2 and its predecessor, which share a common login system.

Since its early access launch in December 2024, Path of Exile 2 has maintained a strong player base, supported by regular updates and developer communication. A recent update enhanced the game's performance on PlayStation 5, addressing issues with monsters, skills, and damage. The upcoming major patch is set to introduce new content, and Grinding Gear Games is addressing the data breach before players dive back into the game.

The official Path of Exile 2 forum was updated with a notice on January 6, 2025, detailing the breach. A developer's account with admin access was compromised, allowing unauthorized access to customer support tools. The account was quickly locked, and all other admin accounts had their passwords reset. The investigation revealed that the compromised Path of Exile account was linked to an old Steam test account, enabling the breach.

Path of Exile 2 Developer Grinding Gear Games Confirms Data Breach Involving Compromised Staff Account

• The breach affected a "significant number" of accounts, compromising email addresses, Steam IDs, IP addresses, shipping addresses, and unlock codes.

The attacker changed passwords on 66 accounts and exploited a bug to delete logs tracking changes. Although this bug has been fixed, it allowed the attacker to access sensitive account information. While no passwords or password hashes were directly accessible, the attacker could potentially use compromised email addresses to bypass region locks on Steam-linked accounts. The breach also allowed access to transaction and private message histories. To prevent future incidents, Grinding Gear Games has implemented stricter IP restrictions and prohibited linking third-party accounts to staff accounts.

The community's reaction to the breach has been varied. Some players appreciate the transparency, while others demand the addition of two-factor authentication to Path of Exile 2 accounts. There's a clear desire among players for improved security measures, as well as enhancements to in-game content and adjustments to endgame difficulty.