Path of Exile developer Grinding Gear Games apologizes for the security breach caused by a compromised test Steam account with admin rights. Read on to find out what happened and what measures were taken.
Over 66 Accounts Compromised
Developers Promise Better Security Measures
Path of Exile (PoE) developer Grinding Gear Games have issued an apology regarding the data breach that occurred earlier this month. In a post on the official PoE forums titled Data Breach Notification, the developers detailed what and how the events unfolded.
A Steam PoE account with admin access was compromised by a hacker, who then proceeded to set random passwords on 66 different PoE 1 and PoE 2 accounts using the tools that the company’s customer support agents use when assisting players. Because the said admin Steam account was made a long time ago for testing purposes and had no purchases, phone numbers, or addresses linked to it, the attacker was able to fool the Steam customer support into giving them access to the account by impersonating the user with just the basic of info, such as the email address used, the account name, and a VPN that placed them in the same country.
The cyberhacker was also able to delete these password change notifications, covering their tracks and not alerting the respective account owners. Moreover, they were able to access sensitive personal information such as email addresses, Steam IDs, IP addresses, shipping addresses, and unlock codes. The transaction history of some accounts were also viewed, as well as some of their private messages. With the gathered data, it is probable that the attacker would use this information for ill-intentioned purposes, affecting these users’ other accounts.
"We have taken steps to ensure that there are more security measures around admin accounts so that this can not happen again. No 3rd party accounts are allowed to be linked to any staff accounts and we have added significantly more stringent IP restrictions. We are incredibly sorry for this lapse in security. The measures taken to secure the admin website really should have already been in place and in the future we will be taking even more steps to make sure that this kind of issue never occurs again," the post concluded.
Players then shared their sentiments on the thread’s replies, with some applauding the devs for their transparency despite the lapse and issues on their end, and others urging them to add 2-factor authentication to their accounts to further strengthen the security and hopefully prevent any more breaches such as this. Hopefully, Grinding Gear Games will implement 2FA sooner or later, but for now, PoE players may want to change their passwords and be more vigilant about their account information.
Source:
Data Breach Notification on Path of Exile Official Forum
