Grinding Gear Games is warning followers to change their passwords after a post containing a phishing link appeared briefly on the Path of Exile page on Steam.
"Earlier today, a malicious news post containing a phishing link went up on the Path of Exile Steam page from a compromised account," the studio wrote in a message posted to Steam and Twitter. "The post was taken down quickly, but if you followed the link or suspect your account may also be compromised, please take immediate action to secure your account."
Phishing, simply put, is a type of scam that uses fake links in emails or websites to entice people to share personal or sensitive information, or install malware onto their PCs. It's a very common form of "social engineering," to use the polite term for it, and often easy to pick out: If you've ever received a poorly-spelled email warning that your mailbox is full and telling you to "click here to increase storage space," you know what I'm talking about.
We should all know better by now, but as we noted a couple years ago, phishing emails are still a big danger because of the sheer volume of the things, but more importantly because of their increasing sophistication. Bad spelling and weird fonts are easy to pick out, but sometimes it's honestly hard to tell what's legit and what's going to cause you a very bad Tuesday three months down the road.
No information about the malicious post itself is provided in the update, but Steam user Keijokainen said in the comments that the link led to a fake registration page for a Path of Exile 2 beta test. The scam site was "pretty well disguised" according to Keijokainen, and "a higher effort than normal scam attempts." Another user said the link led to "pathofexiie.com"—note the sequential "ii" rather than il, which is sometimes easy to overlook at a quick glance—rather than pathofexile.com.
In a statement provided to PC Gamer, Grinding Gear Games confirmed that this is in fact what happened. "An attacker managed to gather a lot of semi-public information about one of our developers, with that information they were able to answer all the Steam verification questions about the account and have the email address changed," a studio representative said. "After this occurred they posted the phishing links as official news for Path of Exile.
"Yes, it was a link to a fake signup, and we don't know how many people were added to it, but it was taken down asap."
Making the phishing post more believable is that a Path of Exile 2 beta is on the way: It was recently delayed from June until "later this year" but it's not unreasonable that Grinding Gear Games would be taking sign-ups for it now.
News of the phishing attempt has sparked discussion about whether the phishers would be able to bypass Steam's multifactor authentication (MFA), and the answer seems to be a definite maybe. The login credentials could be used in the standalone Path of Exile launcher if it's been set up to work independently of Steam, and while PoE will apparently send an email verifying a login if it comes from a new IP address, several users say that system is inconsistent at best. Of course, it's not just the risk of your Path of Exile account getting hosed that's an issue: If you use a shared password across multiple accounts, they're at risk too.
If you didn't hit the link there's nothing to worry about, but if you did (or even if you're just not sure) then follow Grinding Gear's advice: Change your password immediately and enable MFA.
