'We are incredibly sorry': Path of Exile 2 devs apologise for data breach that saw 66 accounts snatched and personal info potentially stolen

A Path of Exile 2 sorceress casting flaming skulls in a hellish landscape
(Image credit: Grinding Gear Games)

During an interview earlier this week, developer Grinding Gear Games revealed that around 66 Path of Exile 1 and 2 accounts were hacked after an act of social engineering exploited an old Steam profile—one that was both linked to an admin account and, crucially, forgotten about and unsecured.

The full extent of the damage has been revealed in a post to the Path of Exile forums, which further explains that the Steam account in question "was a regular Steam account and had no purchases, phone numbers, addresses or other information associated with it," meaning that "the only information that they were required to supply was the email, account name and be using a VPN from the same country."

Game director Jonathan Rogers previously said that the hacker took advantage of a bug in the studio's audit log system: Wherein password resets were instead considered "notes", and thus were able to be deleted to cover their tracks as they "set random passwords on 66 accounts". The post promises that "this bug doesn't exist for other support actions and has been fixed now."

In a grim turn, however, it turns out that the hacker was able to also potentially view personal information for "a significant number of accounts". These include email addresses and Steam IDs "if the account had one associated", as well as IP addresses, shipping addresses "if the account had previously had physical goods sent", and an unlock code for lifting region-specific accounts. Other personal info at risk in the attack included transaction history and private message histories, some of which were between Grinding Gear Games staff.

"It is probable," the post states, "that the attacker would be able to compare email addresses found using our portal against publicly available lists of compromised passwords from other websites in order to find accounts that shared the same password with their PoE account. If that was the case, they would have been able to bypass the region locking using the unlock code."

It's a huge breach of privacy—and one Grinding Gear Games seems to be taking seriously. "We have taken steps to ensure that there are more security measures around admin accounts so that this can not happen again. No 3rd party accounts are allowed to be linked to any staff accounts and we have added significantly more stringent IP restrictions."

That's no small comfort to those impacted, though, for which GGG says "we are incredibly sorry for this lapse in security. The measures taken to secure the admin website really should have already been in place, and in the future we will be taking even more steps to make sure that this kind of issue never occurs again."

For context, while some accounts compromised were due to passwords already being out there—a solid reminder to make sure you aren't using the same password for everything, and to check your password against public listings of hacked ones—personal info being scraped is deeply concerning. A hacker knowing someone's IP and shipping address makes that person inherently more vulnerable to other social engineering (that is, using secondary information to access an account).

In other words, if you've got a Path of Exile account for either game, it might be worth changing a few passwords and applying 2FA to any other accounts you might have. I say "other" because, as several complainants in the forum post note, Path of Exile doesn't have two-factor authentication.

Harvey Randall
Staff Writer

Harvey's history with games started when he first begged his parents for a World of Warcraft subscription aged 12, though he's since been cursed with Final Fantasy 14-brain and a huge crush on G'raha Tia. He made his start as a freelancer, writing for websites like Techradar, The Escapist, Dicebreaker, The Gamer, Into the Spine—and of course, PC Gamer. He'll sink his teeth into anything that looks interesting, though he has a soft spot for RPGs, soulslikes, roguelikes, deckbuilders, MMOs, and weird indie titles. He also plays a shelf load of TTRPGs in his offline time. Don't ask him what his favourite system is, he has too many.

Read more
Path of Exile 2 early access class key art
Around 66 accounts in Path of Exile 2 were compromised, due to a one-two punch of an old unused Steam account and a backend bug
Path of Exile 2 showing the Warbringer ascendancy class bludgeoning his way through a pack of hyenas
'You deserve better customer service': Path of Exile 2 studio apologizes for long support wait times but with 545,000 emails received, it's kind of understandable
Mister Fantastic giving a thumbs up
A Marvel Rivals player has uncovered 'one of the most dangerous vulnerabilities a game can have' that'll let cheaters take over your PC and find your passwords
Alisaie, a side character in Final Fantasy 14: Dawntrail, folds her arms with a confident smirk on her face.
Final Fantasy 14 communities panic as it turns out change to blacklisting, meant to help reduce stalking, also lets players use mods to track their alts
Alisaie, a headstrong ally in Final Fantasy 14: Dawntrail, looks skeptically while standing in the middle of a beautiful blue forest.
Yoshi-P says FF14 team is 'discussing' options to fight mod that can be used for stalking, like 'legal action' and, uh, asking them to stop
Path of Exile character holding a staff and standing in a dark scene
Since Path of Exile's expansion has been delayed, players are instead getting a month-long event featuring 'whacky ideas that never quite made it off the brainstorm board'
Latest in RPG
Olivia, a hunter from Monster Hunter Wilds, looks perplexed in an icy blue environment.
Monster Hunter Wilds players wonder if frenzied monsters are a little undercooked, as one slaps a sickly bird into a fine paste in just 25 seconds
Sans, from the hit 2015 RPG undertale, folds his arms in a dashing suit as stonks rise in the background.
You can grab Undertale for less than $1, as the genre-defining indie RPG beats its all-time player peak for the first time in 10 years
KOTOR remake returns for annual tradition of reminding you it's still alive, but no you can't hear anything more about it until it comes back next year to say it again
Alligator skull with glowing eyes on human body and cords coming out sitting at piano with "The Norwood Etudes" ready to play
My new most anticipated RPG let me be a kleptomaniac gourmand set loose in a noir city on a quest to make 'the perfect sandwich'
Rise of the Ronin review
Rise of the Ronin review
Wyrdsong concept art
Wyrdsong, the RPG from ex-Bethesda talent, isn't dead—but it's no longer an open world: 'We're down to a skeleton crew'
Latest in News
In-game recreation of iconic Indiana Jones stealing the idol in Indiana Jones and the Great Circle
Silent Hill 2 remake and Indiana Jones are at historically low prices this Steam Spring Sale—so long as you don't buy them directly from Steam
A Steam Deck with SteamOS running in desktop mode.
A new and improved desktop experience just landed on Steam Deck and SteamOS is readying 'support for non-Steam Deck handhelds'
Olivia, a hunter from Monster Hunter Wilds, looks perplexed in an icy blue environment.
Monster Hunter Wilds players wonder if frenzied monsters are a little undercooked, as one slaps a sickly bird into a fine paste in just 25 seconds
Inzoi character studio - A Zoi designed to look like Billie Eilish
Inzoi is giving eager life simmers another free taste of its gorgeous character creator, with a bonus build mode demo for the architecture nerds
A group of adventurers plans out their strategy on a table of maps and documents.
This Pathfinder Humble Bundle lets you level up your TTRPG library and donate to charity at the same time starting at just $5
Sans, from the hit 2015 RPG undertale, folds his arms in a dashing suit as stonks rise in the background.
You can grab Undertale for less than $1, as the genre-defining indie RPG beats its all-time player peak for the first time in 10 years