Summary of Grinding Gear Games' Path of Exile 2 Data Breach (Week of January 6, 2025)
Grinding Gear Games (GGG) has officially confirmed a data breach affecting Path of Exile 2, stemming from the compromise of a developer’s administrative account linked to Steam. The incident occurred during the week of January 6, 2025, and has prompted immediate action and transparency from the studio.
🔐 Root Cause
- A developer’s admin account was compromised due to its association with an outdated Steam test account.
- The attacker gained access to internal tools via the customer support portal, enabling unauthorized access to user data.
- The breach was detected quickly; the compromised account was locked, and all admin accounts were forced to reset passwords.
📌 Data Exposed
The attacker accessed and potentially exfiltrated sensitive information from a "significant number" of accounts, including:
- Email addresses
- Steam IDs
- IP addresses
- Shipping addresses
- Unlock codes
- Transaction histories (for some accounts)
- Private messages from GGG staff
Note: Passwords and password hashes were not directly accessible through the portal. However, attackers may have attempted to match exposed emails with credentials from prior third-party breaches to bypass Steam region locks.
⚠️ Exploited Vulnerabilities
- Randomized password changes were made on 66 user accounts.
- A bug allowed deletion of activity logs, erasing audit trails and masking the attacker’s actions.
- The bug has since been patched and confirmed not to impact core support functions.
✅ Immediate Mitigation & Preventive Measures
To prevent recurrence and strengthen security:
- Third-party account links (e.g., Steam) are now disabled for staff accounts.
- Stricter IP restrictions have been implemented for admin access.
- All admin accounts now require multi-factor authentication (MFA) — a major policy shift following player demand.
- Internal access protocols have been audited and reinforced.
🧩 Context: Player Base & Game Development
- Path of Exile 2 launched in December 2024 with strong early access engagement.
- The game continues to receive regular updates, including:
- Performance optimization for PlayStation 5
- Fixes for monster behavior, skill mechanics, and damage scaling
- The next major patch is imminent, and GGG released the breach notice before players return to the game.
💬 Player & Community Reaction
- Positive: Many praised GGG for prompt disclosure, transparency, and technical detail in their forum post.
- Concerned: A growing chorus of players is calling for:
- Mandatory two-factor authentication (2FA) for all player accounts
- Enhanced security training for staff
- Review of data retention practices
- Expectations are rising for stronger endgame difficulty, in-game security, and long-term account protection.
🛡️ Looking Ahead
Grinding Gear Games has reaffirmed its commitment to:
- Protecting player data
- Maintaining trust through open communication
- Implementing enterprise-grade security standards across both Path of Exile and Path of Exile 2, which share a unified login system.
Final Note: While no direct financial data or payment details were exposed, the breach highlights the risks of legacy account integrations and underscores the need for robust authentication — especially in long-term online games with persistent digital identities.
Key Takeaway:
This breach, though serious, was contained swiftly. GGG’s response — including immediate containment, full transparency, and meaningful policy changes — sets a benchmark for crisis management in gaming. However, player trust will depend on sustained action, particularly the rollout of mandatory 2FA and ongoing security improvements.
Stay informed via the official Path of Exile 2 Forum and follow GGG’s security updates.
