Summary: Grinding Gear Games Confirms Major Data Breach in Path of Exile 2 (Week of January 6, 2025)
Grinding Gear Games (GGG) has officially confirmed a significant data breach affecting Path of Exile 2, occurring during the week of January 6, 2025. The incident stemmed from a compromised developer administrative account linked to a legacy Steam test account, which granted unauthorized access to internal tools used by customer support.
🔍 Key Details of the Breach:
- Root Cause: A long-unused Steam test account—though not tied to personal purchases or data—was linked to a developer’s admin account. This connection allowed attackers to gain full access to the developer portal.
- Exposed Data: A "significant number" of player accounts were impacted. Compromised information includes:
- Email addresses
- Steam IDs
- IP addresses
- Shipping addresses
- Unlock codes
- Transaction histories (for some)
- Private messages from GGG staff (in select cases)
- Malicious Actions Performed:
- 66 accounts had randomized passwords set by the attacker.
- A bug allowed deletion of activity logs, enabling the attacker to erase traces of their actions.
- The attacker could view sensitive account details via the developer portal.
- Password Security: Passwords and password hashes were not directly accessible via the customer service portal. However, GGG warned that attackers may have attempted to match exposed emails with password lists from past breaches, potentially bypassing Steam region locks.
✅ Immediate Response & Mitigation:
- Account Lockdown: The compromised admin account was immediately disabled.
- Password Resets: All admin accounts were forced to reset passwords.
- Security Enhancements Implemented:
- Third-party account linking (e.g., Steam) has been disabled for staff accounts.
- Stricter IP restrictions now apply to all admin access.
- The bug enabling log deletion has been patched and confirmed not to affect other systems.
- Two-factor authentication (2FA) is now strongly recommended—and expected to be implemented in the near future.
📢 Developer Communication & Community Reaction:
- GGG issued a detailed update on the official Path of Exile 2 forum, emphasizing transparency and accountability.
- Positive Feedback: Many players praised the company for swift disclosure, clarity, and proactive remediation.
- Criticisms & Demands: Significant demand for mandatory 2FA, stronger account verification, and improved end-to-end encryption. Some players also expressed concerns about game balance and endgame difficulty, noting that security issues have intensified calls for deeper systemic improvements.
🚀 Looking Ahead:
With the next major patch for Path of Exile 2 imminent—featuring performance optimizations on PlayStation 5 and fixes for skill mechanics and damage scaling—GGG is committed to restoring trust. The breach has not delayed development, but it has underscored the need for robust, modern security infrastructure, especially given the unified login system across both Path of Exile and Path of Exile 2.
🔒 Final Takeaways:
- The breach was not a direct attack on player accounts, but a result of poorly secured legacy developer access.
- While no direct password theft occurred, risk of credential stuffing remains—players are urged to:
- Change passwords immediately (especially if reused across sites).
- Enable 2FA at the earliest opportunity.
- Monitor accounts for suspicious activity.
- GGG’s response has been widely seen as responsible, but the industry and community are now expecting long-term security upgrades to match the game’s growing player base.
“We are deeply sorry for this breach. Your trust is our priority, and we are taking every measure to ensure it never happens again.”
— Grinding Gear Games, Official Statement
Stay vigilant. Stay informed. The game continues—but so must your security.
