Summary

• Grinding Gear Games, the developer of Path of Exile 2, confirmed a data breach occurring the week of January 6, 2025.
• The breach stemmed from a compromised developer account linked to Steam.
• Compromised data included email addresses, Steam IDs, IP addresses, and other user information.

Grinding Gear Games acknowledged a data breach affecting Path of Exile 2 due to a compromised developer admin account. The developers outlined steps to enhance admin account security, preventing future breaches across both Path of Exile and Path of Exile 2, which share a single account login system.

Since its December 2024 early access launch, Path of Exile 2 has maintained a strong player base, fueled by consistent updates and developer communication. Recent updates addressed PlayStation 5 performance and various in-game issues related to monsters, skills, and damage. With a major patch imminent, Grinding Gear Games proactively addressed the data breach before players engaged with the new content.

A notice on the official Path of Exile 2 forum confirmed Grinding Gear Games' awareness of the breach the week of January 6, 2025. A developer's website admin account was compromised, granting access to tools typically used by the customer support team. Immediate account lockdown and forced password resets for all admin accounts followed. Investigation revealed the compromised account was linked to an old Steam account used for testing, providing the attacker with sufficient information to gain access. While the Steam account lacked purchase or personal information, access to the developer's Path of Exile account enabled manipulation of other accounts via the developer portal.

Path of Exile 2 Developer Grinding Gear Games Confirms Data Breach Involving Compromised Staff Account

• The breach affected a "significant number" of accounts, compromising email addresses, Steam IDs, IP addresses, shipping addresses, and unlock codes.

The attacker randomly set passwords on 66 accounts, exploiting a bug to delete logs tracking changes. Grinding Gear Games confirmed this bug, affecting only log deletion, has been fixed. The breach allowed access to account information for a significant number of accounts on the developer portal, resulting in the compromise of email addresses, Steam IDs, IP addresses, shipping addresses, and unlock codes.

While passwords and password hashes were inaccessible via the customer service portal, Grinding Gear Games noted the possibility of the attacker cross-referencing email addresses with compromised password lists from other websites to bypass regional account restrictions on Steam. For some accounts, transaction and private message history with Grinding Gear Games staff was also viewed. To prevent recurrence, third-party account linking to staff accounts is prohibited, and significantly stricter IP restrictions are now in place.

Community response to the breach is varied, with some praising the developers' transparency, while others advocate for two-factor authentication. A significant portion of the player base desires improved security, enhanced in-game content, and adjustments to Path of Exile 2's endgame difficulty.