Path of Exile Developer Addresses Major Data Breach
Grinding Gear Games, the developer behind Path of Exile, has issued a public apology following a significant data breach earlier this month. The breach stemmed from a compromised Steam test account with administrative privileges. This compromised account allowed unauthorized access to over 66 player accounts.
Security Lapse Detailed
The breach involved a long-standing test account lacking typical security measures like linked phone numbers or addresses. This vulnerability allowed a hacker to successfully impersonate the account owner to Steam support, gaining access using minimal information (email address, account name, and a VPN masking their location).
The hacker exploited the account's administrative access to reset passwords on numerous Path of Exile 1 and 2 accounts. Furthermore, the attacker cleverly deleted password change notifications, concealing their actions from affected users. The compromised data included sensitive personal information such as email addresses, Steam IDs, IP addresses, shipping addresses, unlock codes, transaction histories, and private messages. This information poses a significant risk of misuse.
Enhanced Security Measures Implemented
Grinding Gear Games has pledged to enhance security protocols to prevent future incidents. Key improvements include stricter regulations on administrative accounts, prohibiting the linking of third-party accounts to staff accounts, and implementing more robust IP restrictions. The company acknowledges the security lapse and expresses deep regret for the inconvenience caused.
The community response has been mixed, with some praising the developer's transparency, while others advocate for the immediate implementation of two-factor authentication (2FA) for enhanced account security. While the timeline for 2FA implementation remains unclear, players are urged to change their passwords and remain vigilant about their account information.
