In a significant cybersecurity incident affecting the popular action RPG franchise Path of Exile, developer Grinding Gear Games has disclosed a serious data breach that occurred through an administrative account compromise. The breach has exposed sensitive user information and affected account access for numerous players across both Path of Exile and Path of Exile 2.
The Security Breach
A forgotten developer testing account linked to Steam became the entry point for attackers, who successfully convinced Steam support to grant them access. This compromised account had administrative privileges on the Path of Exile website, giving the attackers access to customer support tools and sensitive user data. The breach's impact was amplified by a bug in the event logging system that allowed the attackers to cover their tracks by deleting evidence of password changes.
Scope of the Attack
The breach resulted in 66 accounts having their passwords randomly changed by the attacker. More concerning is the exposure of personal information for what the company describes as a significant number of accounts. The compromised data includes email addresses, Steam IDs, IP addresses, shipping information, and region unlock codes. Additionally, transaction histories and private messages, including some between staff members, were potentially accessed.
- Number of accounts with forced password changes: 66
- Types of exposed data:
- Email addresses
- Steam IDs
- IP addresses
- Shipping addresses
- Region unlock codes
- Transaction histories
- Private message histories
Security Implications
The attackers could potentially cross-reference the obtained email addresses against publicly available compromised password lists, creating additional security risks for users who reuse passwords across multiple services. This capability, combined with access to unlock codes, could allow bypassing of region-specific restrictions on accounts.
Remediation Measures
Grinding Gear Games has implemented several immediate security improvements. The company has enforced stricter IP restrictions and banned the linking of third-party accounts to staff accounts. They've also fixed the audit log bug that allowed attackers to hide their activities. However, it's notable that the game still lacks two-factor authentication, a security feature that many users are now requesting.
Security measures implemented:
- Enhanced IP restrictions
- Removal of third-party account linking for staff
- Fixed audit log system
- Forced password resets on admin accounts
Recommendations for Users
Players are strongly advised to change their passwords and review their account security settings. Those who have used the same password across multiple services should be particularly vigilant. While the developer continues to strengthen their security measures, users should consider implementing strong, unique passwords for their gaming accounts and regularly monitor their account activity for any suspicious behavior.