Around 66 accounts in Path of Exile 2 were compromised, due to a one-two punch of an old unused Steam account and a backend bug

Path of Exile 2 has been carving out a lovely little niche for itself, based on how many hours of monster-smashing my colleagues here at PC Gamer have been pumping into it. But it hasn't come without its roadbumps—like, for example, a recent security breach that saw an estimated 66 (potentially more) accounts compromised.

That's as per a recent interview with streamers Darth Microtransaction and GhazzyTV. When asked whether there was data breach at Grinding Gear Games, game director Jonathan Rogers states that "there has been a situation where someone got access to an admin account," but that the full extent is yet to be seen.

"We now understand how that happened—we don't fully understand the scope of everything that occurred here, but we're sort of in the process of looking at logs, and so on … there were a few really shitty things that occurred here that I'm very unhappy about."

As Rogers puts it, the hacker in question managed to pry open access to the admin account through a bit of social engineering—which, when referring to cyber security, means the practice of sneakily getting secondary information via human interaction to achieve a hack, rather than hacking directly. The weak point in GGG's armour here was an old Steam account that the admin was no longer using, but that was nonetheless linked.

"[The person who] had it attached didn't really consider the fact that this old Steam account they weren't using anymore was attached to their admin account … that got compromised through Steam support." While Rogers doesn't know the exact details, he states that the hacker must've had some personal details such as credit card information.

Steam's "proof of ownership" page, for instance, will let you use a Visa credit card's name, billing address, and last four digits to reset a password to an account—all things a malicious actor could obtain via social engineering.

This was then made worse by a bug on GGG's end. When it came time to investigate, it was revealed that the studio's software was registering password resets for Path of Exile 2 accounts as "notes" rather than an "audit event", meaning that someone with admin permissions—the hacker, for instance—could go in and delete them, covering their tracks.

"It was really not obvious to us what was going on there. I don't have the full information yet about the extent of everything that happened, but what I can tell you is that 66 notes were deleted, so that would imply that 66 accounts were compromised," though Rogers notes they only have audit logs going back 30 days due to privacy regulations.

This meant that investigations into the issue—and whether it was a data breach or not—took a lot longer than they otherwise would have. "We initially had no idea, right, so we were like—ah shit, what the hell is going on here."

GGG is determined to patch up this vulnerability, though, as Rogers states: "Since then we've added a bunch of extra security stuff that, honestly, should've already been in place around this to sort this out, so, all of that is to say that we totally fucked up here, with security stuff on this account. We're certainly not gonna have any Steam accounts linked to [admins], we're gonna make sure there's no Steam accounts linked to customer service accounts any longer."

Obviously this kind of security breach is no joke—especially in an age where catastrophic data breaches seem downright commonplace (this is a reminder to go and change your old passwords). Still, studios are large and complex machines, and social engineering is downright hard to spot unless you're jumping at shadows. I hope GGG's able to close ranks around these weak spots soon.