Summary

• Grinding Gear Games, the developer of Path of Exile 2, confirmed a data breach occurring the week of January 6, 2025.
• The breach stemmed from a compromised developer account linked to Steam.
• Compromised data included player email addresses, Steam IDs, IP addresses, and other information.

Grinding Gear Games acknowledged a data breach affecting Path of Exile 2, resulting from a compromised developer admin account. The developers outlined steps to enhance admin account security, preventing future breaches across both Path of Exile and Path of Exile 2 (which share a single account login).

Following its December 2024 early access launch, Path of Exile 2 has maintained a strong player base, fueled by consistent updates and developer communication. Recent updates included PlayStation 5 performance improvements and bug fixes related to monsters, skills, and damage. Addressing the data breach proactively precedes the release of Path of Exile 2's next major patch.

Grinding Gear Games' official Path of Exile 2 forum posted a notice detailing the data breach discovered the week of January 6, 2025. A developer's admin account was compromised, granting access to tools typically used by the customer support team. Immediate account lockdown and forced password resets for all admin accounts followed the discovery. Investigation revealed the compromised account was linked to an old, test-only Steam account, providing the attacker sufficient information for account takeover. While the Steam account lacked personal information or purchase history, access to the developer's Path of Exile account allowed manipulation of other accounts via the developer portal.

Path of Exile 2 Developer Grinding Gear Games Confirms Data Breach Involving Compromised Staff Account

• A "significant number" of accounts were affected, with compromised data including email addresses, Steam IDs, IP addresses, shipping addresses, and unlock codes.

The attacker randomly set passwords on 66 accounts and exploited a bug to delete logs of their actions. Grinding Gear Games confirmed this bug, affecting only log deletion, has been fixed. The breach allowed access to account information for a "significant number" of accounts on the developer portal, exposing email addresses, Steam IDs, IP addresses, shipping addresses, and unlock codes.

While passwords and password hashes weren't directly accessible, Grinding Gear Games noted the potential for the attacker to cross-reference email addresses with compromised password lists from other websites to bypass region locks on Steam-linked accounts. For some accounts, transaction and private message history with Grinding Gear Games staff was also viewed. To prevent recurrence, third-party account linking to staff accounts is prohibited, and IP restrictions are significantly stricter.

Community reaction to the breach is mixed. Some players commend the developers' transparency, while others advocate for two-factor authentication. A notable portion of the player base seeks improved security, enhanced in-game content, and endgame difficulty adjustments in Path of Exile 2.