is currently making headlines not only with its tough fights, but also with a serious security gap.
A total of 66 player accounts were compromised– and the number could be even higher. A combination of a hacked admin account and a software bug made it easy for attackers to break into player accounts and steal valuable items.
This is how Path of Exile 2 was hacked
The origin of the problem was an old, no longer used Steam account that was still linked to an admin account on the Grinding Gear Games website, according to game director Jonathan Rogersreveals in an interview.
OverSocial Engineering
The attacker managed to convince Steam Support to reset the account's credentials. Simple data such as the last four digits of a credit card and the billing address were apparently sufficient to confirm identity.
With access to the admin account, the hackers were able to change other players' passwords and thus access their accounts.
Particularly explosive: A bug in the server software caused password changes to be savedNotes
and not as unchangeableAudit Events
were saved. These notes could easily be deleted by the attacker after changing the password - thus covering all traces.
The consequences for affected players
The affected players were suddenly logged out in the middle of the game. By the time they were able to log back in using Steam support, their accounts had already been looted. High-value items like Divine Orbs and hard-earned endgame gear were gone.
Particularly bitter: According to Path of Exile 2 support, there is no way to recover stolen items or reset accounts. A rollback is simply technically impossible - so the loss is final.
How is Grinding Gear Games dealing with the incident?
Jonathan Rogers openly acknowledged the incident and was visibly frustrated by the security flaw:
We have completely screwed up the security measures here.
As a direct consequence, GGG has now taken several measures to prevent such incidents in the future. Among other things, it is now no longer possible to link Steam accounts to administrator or customer service accounts. Additional security measures have also been implemented to close similar security gaps.
Although these security measures are intended to prevent future attacks, it remains unclear whether affected players will receive compensation, possibly in the form of in-game shop currency. This is particularly bitter for those affected, as the stolen items were often the result of hundreds of hours of hard work - and they themselves bear no blame for this incident.
