Summary
- Grinding Gear Games, the developer of Path of Exile 2, confirmed a data breach occurred during the week of January 6, 2025.
- The breach stemmed from a compromised developer account linked to Steam.
- Player data including email addresses, Steam IDs, IP addresses, and other details were exposed.
Grinding Gear Games confirmed that Path of Exile 2 suffered a data breach after a developer’s administrative account was breached. The team also outlined immediate steps to strengthen admin account security and prevent future incidents across both Path of Exile 2 and its predecessor, which share a unified login system.
Since its early access launch in December 2024, Path of Exile 2 has sustained a strong player base through consistent updates and transparent communication from Grinding Gear Games. The most recent update optimized performance on PlayStation 5 and resolved issues with monsters, skills, and damage. The next major patch is imminent, and Grinding Gear Games addressed the data breach before players re-enter the game to experience the new content.
5
Grinding Gear Games updated its official Path of Exile 2 forum with a notice confirming awareness of the breach during the week of January 6, 2025. An admin account belonging to a developer was compromised, granting the attacker access to tools used by the customer support team. Upon discovery, the team immediately locked the account and mandated password resets for all other admin accounts. Further investigation revealed the breached account was tied to an old Steam test account, which provided enough information to fully compromise it. Although the Steam account had no purchases or personal data linked to it, access to the developer’s Path of Exile account allowed the attacker to manipulate other accounts via the developer portal.
Path of Exile 2 Developer Grinding Gear Games Confirms Data Breach Involving Compromised Staff Account
- The breach exposed data for a “significant number” of accounts.
- Compromised data includes email addresses, Steam IDs, IP addresses, shipping addresses, and unlock codes.
The attacker set randomized passwords on 66 accounts, and a bug permitted them to delete activity logs recording changes. Grinding Gear Games confirmed the bug has been patched and does not affect other support functions, but it allowed the attacker to view account details for a “significant number” of users on the developer portal. As a result, email addresses, Steam IDs, IP addresses, shipping addresses, and unlock codes were compromised.
Although passwords and password hashes were not accessible via the customer service portal, Grinding Gear Games noted the attacker might have matched exposed email addresses with password lists from other breaches to bypass region locks on Steam-linked Path of Exile 2 accounts. For some affected accounts, the attacker also viewed transaction histories and private messages from Grinding Gear Games staff. To prevent recurrence, third-party accounts can no longer be linked to staff accounts, and significantly stricter IP restrictions have been implemented.
Player reactions to the breach have been divided—some praised the developers for their transparency, while others urged the implementation of two-factor authentication for Path of Exile 2 accounts. It’s clear many players expect stronger security measures and enhancements to both in-game content and endgame difficulty.
