Stolen Path of Exile 2 admin account used to hack player accounts

Path of Exile 2 developers confirmed that a hacked admin account allowed a threat actor to change the password and access at least 66 accounts, finally explaining how PoE 2 accounts have been breached since November.

The breached admin account allowed the threat actors to change the passwords of other accounts, with many losing their in-game purchases, including valuable items that took hundreds of hours to acquire.

However, a time limit in log retention prevents the full scope of the incident from being determined, potentially meaning more accounts were compromised in the breach.

Path of Exile 2 (PoE) is an immensely popular single-player and co-op action role-playing game published by Grinding Gear Games. It’s a sequel to the highly acclaimed ‘dark fantasy’ free-to-play Path of Exile.

Although currently in early access, the title enjoys very positive reviews on Steam, where it has formed a dedicated community of tens of thousands of players, with many more awaiting its final release with much anticipation.

PoE 2 players have been reporting a wave of account hacks on the game’s forums, noting that both Steam and stand-alone PoE accounts were breached without triggering a two-factor authentication code request.

People who fell victim to these hacks found themselves abruptly logged out of the game and Steam.

By the time they got access back with the help of Steam Support, they found that the hackers had stolen all their in-game items, including valuable items like Divine Orbs and end-game gear.

According to forum posts by impacted players, PoE support told them that rollbacks and stolen items restoration are impossible, so the damage is irreversible.

Hacked via an old Steam account

As first reported by 404 Media, Path of Exile 2 game director Jonathan Rogers confirmed in an interview with GhazzyTV’s Tavern Talk podcast yesterday, that the hack occurred via an old Steam account linked to one of their administrator accounts, which was compromised.

The attackers used partial details like the four last digits of their credit card information to convince Steam Support to reset the credentials and take control of the account.

This allowed the attackers to access the PoE 2 admin account and access other gamer’s accounts.

While not confirmed by the developers, a screenshot of an alleged Path of Exile 2 administrative panel has been shared on sites like Reddit, which is believed to have been used to modify players’ passwords.

To make matters worse, when a Path of Exile 2 account password was changed, it logged it as an editable note instead of logging the change as an uneditable audit entry.

“There was actually a bug where the event for setting a new password on an account was incorrectly labeled as a note rather than like an audit event.” Rogers said in the interview.

“What that meant was is that so notes are things that like customer service can add to people’s accounts and they can edit them and delete them. So, the password change thing being a note could be deleted by a customer service person uh accidentally rather than um being um uh so like rather than being permanently there in a way that no one could change.”

“So that effectively meant that what was happening is the person who managed to get an account, they were compromising the accounts by sending a random password then deleting the node afterwards.”

While the developers are analyzing logs to find impacted accounts, they are further hampered by the company’s log retention policy, which caused some logs to be deleted around the time the admin account was compromised.

“Effectively there were the five days back in November when we don’t have logs for and then after that point there were 66 accounts that were that had notes deleted,” continued Rogers.

The developers admitted errors and security gaps in the game’s backend that could have prevented the attacks, stating, “we totally fucked up here.”

Grinding Gear Games assured their players that several security measures have been introduced post-incident, including removing the ability to link Steam accounts to administrative accounts.

However, for those accounts that were impacted, Grinding Gear games has not announced any plans to compensate those players. Instead, saying there is no way to restore stolen items.