A critical security breach in Path of Exile 2 led to the theft of valuable items from player accounts – no compensation is in sight yet.
Path of Exile 2 is currently making headlines not only for its brutal combat but also for a serious security breach.
A total of 66 player accounts were compromised – and the number could be even higher. A combination of a hacked admin account and a software bug made it easy for attackers to break into player accounts and steal valuable items.
This is how Path of Exile 2 was hacked
The source of the problem was an old, disused Steam account that was still linked to an admin account on the Grinding Gear Games website, as Game Director Jonathan Rogers revealed in an interview
Using social engineering, the attacker was able to convince Steam Support to reset the account’s credentials. Apparently, simple data such as the last four digits of a credit card and the billing address were enough to confirm the identity.
With access to the admin account, the hackers could change the passwords of other players and thus access their accounts.
Particularly explosive: A bug in the server software caused password changes to be stored as notes
and not as unchangeable audit events
These notes could simply be deleted by the attacker after the password change – thus covering all tracks.
Consequences for affected players
The affected players were suddenly logged out in the middle of the game. When they were able to log back in with the help of Steam support, their accounts had already been looted. High-value items such as Divine Orbs and hard-earned end-game gear had disappeared.
Particularly bitter: According to Path of Exile 2 support, there is no way to recover stolen items or reset accounts. A rollback is technically impossible – the loss is final.
How is Grinding Gear Games dealing with the incident?
Jonathan Rogers openly admitted the incident and was visibly frustrated about the security breach:
We completely screwed up here with the security measures.
As a direct consequence, GGG has now taken several measures to prevent such incidents in the future. Among other things, it is no longer possible to link Steam accounts to administrator or customer service accounts. In addition, further security precautions have been implemented to close similar security gaps.
Although these security measures should prevent future attacks, it remains unclear whether affected players will receive compensation, possibly in the form of the in-game shop currency. This is particularly galling for those affected, as the stolen items were often the result of hundreds of hours of hard work – and they themselves are in no way to blame for this incident.
