Developers of Path of Exile 2 have confirmed that hackers gained access to the accounts of 66 players through the hack of an administrator’s account. This security breach has been linked to the recent wave of hacks that players have been experiencing since November 2024.
The compromised account allowed attackers to change the passwords of other users, resulting in the loss of in-game items that players had spent hours collecting. Due to restrictions on log preservation, the full extent of the incident is still unclear, and there may be more affected accounts.
Path of Exile 2, a popular RPG developed by Grinding Gear Games, is currently in early access and has garnered a large audience along with positive reviews. However, reports of hacked accounts on forums have raised alarm among players who noted unauthorized access without two-factor authentication.
Players who were affected discovered that they were suddenly logged out of the game, and upon regaining access through Steam support, found their valuable items and unique equipment stolen. Path of Exile support has stated that recovery of lost items is not possible.
While the developers have not officially confirmed the details, a screenshot allegedly showing the administrative panel of Path of Exile 2 was shared on reddit. This panel is believed to have been used to change player passwords.
According to the game director, Jonathan Rogers, the attack stemmed from an old Steam account linked to the administrator profile. Hackers were able to manipulate Steam support using the last four digits of a credit card to take control of the account.
The security flaw in Path of Exile 2 allowed for the deletion of logs tracking password changes. Rogers explained that instead of creating an audit trail, password changes were logged as edited notes, enabling the removal of this vital information.
Following the incident, the developers encountered challenges in addressing the aftermath due to the log retention policy which led to logs being wiped during the hacking period. As a result, 66 accounts were identified where notes had been deleted.
Grinding Gear Games has admitted to security lapses and indicated that additional measures have been implemented post-incident, such as a ban on linking Steam accounts to administrative profiles. However, no compensation will be provided to affected players as the restoration of stolen items is not feasible.