Grinding Gear Games, the developers behind Path of Exile, have issued a sincere apology following a significant security breach that affected their community. This breach, which took place earlier this month, involved a compromised test Steam account with administrative privileges. Let's delve into the details of the incident and the steps taken to enhance security.
Over 66 Accounts Compromised
In a detailed post on the official Path of Exile forums titled "Data Breach Notification," Grinding Gear Games explained the sequence of events. A hacker gained access to a Steam account used for testing purposes, which had admin rights but no linked personal information. Using basic details like the email address and account name, along with a VPN to mimic the account's country of origin, the hacker successfully deceived Steam's customer support into granting access.
Once inside, the attacker utilized the tools available to customer support agents to change passwords on 66 accounts across Path of Exile 1 and 2. These changes were done surreptitiously, with the hacker also deleting the notifications of these changes to avoid alerting the account owners.
The breach allowed the hacker to access sensitive personal data including email addresses, Steam IDs, IP addresses, shipping addresses, and unlock codes. Additionally, they viewed transaction histories and private messages of some accounts. This information poses a significant risk, as it could be used for malicious activities affecting the users' other online accounts.
In response, Grinding Gear Games has implemented several new security measures. "We have taken steps to ensure that there are more security measures around admin accounts so that this can not happen again," they stated. These steps include prohibiting the linking of third-party accounts to staff accounts and adding stringent IP restrictions. "We are incredibly sorry for this lapse in security," the developers added, acknowledging that the measures should have been in place earlier and promising further enhancements to prevent future breaches.
The community's response on the forum has been mixed, with some praising the transparency of Grinding Gear Games despite the security issues, while others called for the implementation of two-factor authentication (2FA) to bolster account security. While the developers have not yet confirmed the addition of 2FA, players are advised to change their passwords and remain vigilant about their account information to protect themselves in the meantime.
