Posted inBlog News

Hacker Accesses Admin Account for Popular RPG Path of Exile 2

13 January 2025No Comments
Hacker Accesses Admin Account for Popular RPG Path of Exile 2

The developer of Path to Exile 2 has suffered a data breach involving a hacker accessing a powerful admin account for the hit RPG game. 

The incident enabled the hacker to access at least 66 player accounts, said Grinding Gear Games’ technical director Jonathan Rogers in a live stream on Sunday. “Yep, we totally fucked up here with security stuff on this account,” he said. 

The breach didn’t occur through a software vulnerability but through an old, unused Steam account, which was attached to the powerful customer service admin account for the game. To pull off the attack, the hacker tricked Steam’s customer support into thinking that they owned the account but had forgotten the password. This involved the hacker supplying the correct credit card numbers for the account.

The hijacking paved the way for the hacker to reset the passwords to the 66 player accounts. In addition, the culprit was able to exploit a bug to delete evidence that login credentials for the player accounts had been changed. “Effectively, what they had access to was the same stuff that customer service has access to,” Rogers said. 

A number of players have complained about account hijackings and losing their precious loot and valuable items, according to 404 Media, citing user forum posts. In the meantime, Rogers said: “We don’t fully understand the scope of everything that occurred here, but we’re sort of in the process of looking at the logs and so on.” But to boot out the hacker, the team has already reset the passwords for all admin accounts for the game.

In addition, Grinding Gear Games has been looking through the admin accounts to ensure that no Steam account remains attached to any of them. The developer has also added new safeguards to thwart future attempts at accessing Path of Exile 2’s internal systems.  

The team is still considering implementing multi-factor authentication (MFA) for player accounts. Although Rogers doesn’t oppose the security feature, the problem arises when users lose access to their second method of verification, such as their phone or email account. 

Recommended by Our Editors

“What is hard to implement is all the policy around how to recover when people inevitably lose their second-factor…It’s just a whole rabbit hole of random policy stuff,” he said.

Still, Grinding Gear Games does plan on adding MFA for all customer support accounts to prevent potential hijackings.

Like What You’re Reading?

Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.

This newsletter may contain advertising, deals, or affiliate links.
By clicking the button, you confirm you are 16+ and agree to our
Terms of Use and
Privacy Policy.
You may unsubscribe from the newsletters at any time.

Newsletter Pointer

About Michael Kan

Senior Reporter

Michael Kan

I’ve been working as a journalist for over 15 years—I got my start as a schools and cities reporter in Kansas City and joined PCMag in 2017.


Read Michael’s full bio

Read the latest from Michael Kan

Last updated on 14 January 2025

Comments

No comments yet. Why don’t you start the discussion?

Leave a Reply

Your email address will not be published. Required fields are marked *