The developers of Path of Exile 2 have confirmed that a breach of an administrator’s account allowed hackers to compromise the accounts of 66 players. This revelation sheds light on the wave of account hacks reported by players since November 2024.
Through the compromised administrator account, attackers gained the ability to reset passwords for other users, resulting in the loss of in-game items that players had spent hundreds of hours acquiring. Due to limitations in log retention, the full scope of the incident remains uncertain, suggesting the number of affected accounts may be higher.
Path of Exile 2, a popular RPG developed by Grinding Gear Games and currently in early access, has garnered a dedicated following and received widespread acclaim. However, an increase in reports of account breaches on forums has sparked concern among the player community. Many players claimed that their Steam and Path of Exile profiles were attacked without triggering two-factor authentication prompts.
Victimized players reported being forcibly logged out of the game, and upon regaining access through Steam support, they discovered that all valuable items and unique equipment had been stolen. Support staff for Path of Exile confirmed that item restoration or data recovery was not possible.
Although the developers have not explicitly verified all details, a screenshot purportedly showing the administrative panel for Path of Exile 2 was circulated on Reddit. It is alleged that this panel was used to reset player passwords.
According to the game’s director, Jonathan Rogers, the breach occurred via an old Steam account linked to an administrator profile. Cybercriminals exploited the last four digits of a credit card to convince Steam support to reset the credentials.
Furthermore, a vulnerability in the Path of Exile 2 system allowed the deletion of logs recording password changes. Rogers explained that instead of a secure audit trail, password changes were logged as editable notes, enabling attackers to erase this information.
Efforts to mitigate the aftermath of the breach were hampered by a log retention policy that led to the deletion of records from the days the account was compromised. As a result, the company identified 66 accounts where notes had been erased.
Grinding Gear Games has acknowledged flaws in its security infrastructure and has implemented additional measures in response to the incident. These include prohibiting the linking of Steam accounts to administrative profiles. However, the developers have not offered compensation to affected players, citing the inability to recover stolen items.
