During an interview earlier this week, developer Grinding Gear Games revealed that around 66 Path of Exile 1 and 2 accounts were hacked after an act of social engineering exploited an old Steam profile—one that was both linked to an admin account and, crucially, forgotten about and unsecured.
The full extent of the damage has been revealed in a post to the Path of Exile forums, which further explains that the Steam account in question "was a regular Steam account and had no purchases, phone numbers, addresses or other information associated with it," meaning that "the only information that they were required to supply was the email, account name and be using a VPN from the same country."
Game director Jonathan Rogers previously said that the hacker took advantage of a bug in the studio's audit log system: Wherein password resets were instead considered "notes", and thus were able to be deleted to cover their tracks as they "set random passwords on 66 accounts". The post promises that "this bug doesn't exist for other support actions and has been fixed now."
In a grim turn, however, it turns out that the hacker was able to also potentially view personal information for "a significant number of accounts". These include email addresses and Steam IDs "if the account had one associated", as well as IP addresses, shipping addresses "if the account had previously had physical goods sent", and an unlock code for lifting region-specific accounts. Other personal info at risk in the attack included transaction history and private message histories, some of which were between Grinding Gear Games staff.
"It is probable," the post states, "that the attacker would be able to compare email addresses found using our portal against publicly available lists of compromised passwords from other websites in order to find accounts that shared the same password with their PoE account. If that was the case, they would have been able to bypass the region locking using the unlock code."
It's a huge breach of privacy—and one Grinding Gear Games seems to be taking seriously. "We have taken steps to ensure that there are more security measures around admin accounts so that this can not happen again. No 3rd party accounts are allowed to be linked to any staff accounts and we have added significantly more stringent IP restrictions."
That's no small comfort to those impacted, though, for which GGG says "we are incredibly sorry for this lapse in security. The measures taken to secure the admin website really should have already been in place, and in the future we will be taking even more steps to make sure that this kind of issue never occurs again."
For context, while some accounts compromised were due to passwords already being out there—a solid reminder to make sure you aren't using the same password for everything, and to check your password against public listings of hacked ones—personal info being scraped is deeply concerning. A hacker knowing someone's IP and shipping address makes that person inherently more vulnerable to other social engineering (that is, using secondary information to access an account).
In other words, if you've got a Path of Exile account for either game, it might be worth changing a few passwords and applying 2FA to any other accounts you might have. I say "other" because, as several complainants in the forum post note, Path of Exile doesn't have two-factor authentication.
