Breach of Path of Exile 2 Leads to Hacked Player Accounts, Theft of In-Game Items

• The Grinding Gear Games game developer admitted to a severe breach of one of their PoE 2 accounts.
• Hackers achieved player account takeover via an old Steam profile linked to an administrator game account.
• Steam Support allowed the cybercriminal to reset the account's credentials via partial credit card details validation.

Grinding Gear Games, the developer behind the action RPG Path of Exile 2 (PoE 2), has confirmed that a compromised administrative account was used to hack at least 66 player accounts in a significant security breach. Yet, the total number of affected accounts could be higher due to incomplete logs.

The incident, which has plagued players since November, involved threat actors gaining unauthorized access to an older Steam account linked to one of Path of Exile 2's admin accounts. 

The attackers could reset the account's credentials using partial credit card information, which allowed the modification of passwords and gaining control of player accounts. This led to in-game items theft, including gear and currencies.  

Many affected players were logged out unexpectedly, only to discover their accounts stripped of valuable in-game assets upon recovery. Despite numerous reports on Path of Exile’s forums, developers have confirmed they cannot restore lost items or roll back accounts.  

Further investigation revealed severe flaws in Path of Exile 2’s backend systems, including a critical flaw in how the game logged account password changes. 

According to Jonathan Rogers, Game Director at Grinding Gear Games, these changes were incorrectly logged as editable customer service notes rather than permanent audit entries.  

This design flaw allowed the attackers to send random password resets and delete the corresponding logs, effectively erasing traces of their unauthorized actions. Rogers admitted to the severity of the breach. 

Grinding Gear Games is also restricted by its log retention policies, which resulted in the loss of certain records from the time of the breach in November. 

Path of Exile 2’s developers have since implemented new security measures to prevent similar incidents in the future, also eliminating the ability to link Steam accounts to administrator accounts.

However, Grinding Gear Games has not announced compensation for affected players or plans to restore stolen items.

Last year, hackers targeted gamers with Lua-based malware disguised as cheating script engines.