Skip to content

Stolen Path of Exile 2 admin account used to hijack player accounts

  • by
  • 3 min read

A threat actor used a breached Path of Exile (PoE) 2 admin account to access 66 accounts after changing the password. Game developers confirmed that PoE 2 accounts have been hacked since November using the admin account.

The admin account allowed cybercriminals to change the passwords of player accounts, resulting in the loss of their in-game purchases and important items that took many hours to get. A time limit in the retention of game logs prevents the full impact of the breach from being established, indicating that more accounts may have been compromised in the breach.

Path of Exile 2 is a single-player and co-op role-playing game developed by Grinding Gear Games, which is a sequel to the free-to-play dark fantasy game Path of Exile. The game is currently in early access with positive reviews on Steam while players wait for the full release of the game.

Players have reported a series of hijacked accounts on PoE 2 forums, indicating that Steam and standalone accounts were hacked into without prompting a two-factor authentication request. The players whose accounts were compromised were logged out of PoE 2 and Steam. When the victims regained access with the help of Steam support, they found that all their valuable in-game possessions, including items such as Divine Orbs and end-game gear, were stolen.

PoE support informed players that restoration of the lost items and rollbacks were not possible. The incident was first reported by 404 Media, and the breach was confirmed by game director Jonathan Rogers on the Tavern Talk podcast, yesterday. Rogers said that the breach was carried out after one of the administrator accounts linked to an old Steam account was stolen.

Limited information, such as the last four digits of the credit card, was used to persuade Steam support to reset the account credentials. When the PoE 2 account was changed, the change was logged as an editable note instead of an uneditable audit entry. Rogers said, “There was actually a bug where the event for setting a new password on an account was incorrectly labelled as a note rather than like an audit event.”

While the developers admitted the errors and security flaws in the game’s backend, Grinding Gear Games assured players that security measures were introduced after the breach, such as not being able to link Steam and administrator accounts. The company did not announce any measures to compensate players for the affected accounts and said there is no method to restore the stolen items.

In the News: Indian EdTech platform Wissenhive targeted by ransomware group

Arun Maity

Arun Maity

Arun Maity is a journalist from Kolkata who graduated from the Asian College of Journalism. He has an avid interest in music, videogames and anime. When he's not working, you can find him practicing and recording his drum covers, watching anime or playing games. You can contact him here: arunmaity23@proton.me

>