Grinding Gear Games, the developer behind Path of Exile, has issued a public apology following a data breach impacting over 66 accounts. The breach stemmed from a compromised Steam test account with administrative privileges. This article details the events and the steps taken to prevent future incidents.
The Breach: A Compromised Admin Account
The breach originated from a long-standing test Steam account used internally. Lacking security measures such as linked phone numbers or addresses, the account was vulnerable. A hacker successfully impersonated the account owner to Steam support, gaining access using minimal information (email, account name, and VPN-masked location).
This unauthorized access allowed the hacker to reset passwords on 66 Path of Exile 1 and 2 accounts, leveraging internal customer support tools. Furthermore, the hacker cleverly deleted password change notifications, concealing their actions from affected users. Sensitive data accessed included email addresses, Steam IDs, IP addresses, shipping addresses, unlock codes, transaction histories, and private messages. This compromised information poses a significant risk to affected players.
Enhanced Security Measures and Player Response
Grinding Gear Games has responded by implementing enhanced security protocols for administrative accounts. These measures include stricter IP restrictions and a prohibition on linking third-party accounts to staff accounts. The developers acknowledge the security lapse and express deep regret for the incident.
The community's reaction has been mixed, with some praising the developer's transparency while others advocate for the immediate implementation of two-factor authentication (2FA). While 2FA is not yet confirmed, players are urged to change their passwords and remain vigilant regarding account security.