Around 66 Path of Exile 2 accounts have been compromised due to two hits on an old unused Steam account and a server-side error.
Path of Exile 2 has carved out a nice little niche for itself based on how many hours of monster-slaying my colleagues at PC Gamer put into it. But it hasn’t been without its hurdles, such as the recent security breach that resulted in approximately 66 (possibly more) accounts being compromised.
This is according to a recent interview with streamers Darth Microtransaction and GhazzyTV. When asked if there was a data breach at Grinding Gear Games, game director Jonathan Rogers said that “there was a situation where someone gained access to an administrator account,” but the full extent remains to be seen.
“Now we understand how it happened – we don’t fully understand the extent of everything that happened here, but we’re kind of looking through the logs and so on… some really shitty things happened here. I am very dissatisfied with this.”
According to Rogers, the hacker in question was able to gain access to an administrator account through social engineering, which when it comes to cybersecurity refers to the practice of covertly obtaining secondary information through human interaction to achieve a breach, rather than outright hacking. The weak point in GGG’s armor here was an old Steam account that the admin no longer used, but was linked nonetheless.
“(The person who) attached it didn’t really take into account the fact that this old Steam account that they no longer used was attached to their admin account… which was compromised through Steam support.” While Rogers doesn’t know the exact details, he says the hacker must have had some personal information, such as credit card information.
For example, Steam’s Verify Ownership page will allow you to use your Visa credit card name, billing address, and the last four digits to reset your account password—all things that an attacker can obtain through social engineering.
Then the situation was aggravated by a mistake on GGG’s side. When it came time to investigate, it turned out that the studio’s software was logging password resets for Path of Exile 2 accounts as “notes” rather than as an “audit event”, meaning that someone with administrative rights – such as a hacker – could go in and remove them, covering your tracks.
“It really wasn’t obvious to us what was going on there. I don’t have the full extent of what happened yet, but I can tell you that 66 notes were deleted, which means 66 notes were deleted. accounts were compromised,” although Rogers notes that due to privacy regulations, they only have 30 days of audit logs.
This meant that investigating the issue (and whether it was a data breach or not) took much longer than it would have otherwise. “Initially we had no idea, yeah, so we thought, what the hell is going on here.”
However, GGG is determined to fix this vulnerability, as Rogers states: “We’ve since added a bunch of extra security measures that, frankly, should have already been put in place around this issue to get to the bottom of this, so that’s all we have here completely screwed up the security issues on this account. We will definitely not have any Steam accounts associated with (administrators), we will make sure that no Steam accounts are associated with customer support accounts. longer”.
Obviously, this kind of security breach is no joke, especially in an age where catastrophic data breaches seem to be a completely common occurrence (this is a reminder to go and change your old passwords). However, studios are large, complex machines, and social engineering is downright difficult to detect unless you’re jumping in the shadows. I hope GGG can rally ranks around these weak points soon.