
A significant security breach has been confirmed in Path of Exile 2 (PoE 2), where threat actors successfully compromised an administrative account through an old linked Steam account. The incident, ongoing since November, has affected at least 66 confirmed player accounts, with the possibility of more undiscovered cases due to limited log retention.
The Attack Method:
– Attackers gained access to an admin account via Steam Support by using partial credit card information
– The compromised admin privileges were used to change player passwords
– A system bug labeled password changes as editable notes instead of permanent audit logs
– Hackers deleted these notes to cover their tracks
Impact on Players:
– Both Steam and standalone PoE accounts were breached
– Two-factor authentication was bypassed
– Players lost valuable in-game items and purchases
– No possibility of item restoration or account rollbacks
– Hundreds of hours of gameplay progress lost
Response from Grinding Gear Games:
– Acknowledged security failures in their system
– Implemented new security measures
– Removed Steam account linking capability for admin accounts
– Currently analyzing available logs to identify affected accounts
– No compensation plan announced for affected players
The full scope of the breach remains uncertain due to a five-day gap in November where logs were automatically deleted under the company’s retention policy. Path of Exile 2, a popular action role-playing game currently in early access, continues to maintain its active player base despite this security incident.