Stolen Path of Exile 2 admin account used to hack player accounts

The recent incident involving the compromise of admin and player accounts in Path of Exile 2 has been extensively detailed by Grinding Gear Games (GGG), the developers of the game. Here are the key points from the latest reports:

Source of the Breach

The security breach was traced back to a single customer support account that was compromised through a Steam Support exploit. This support account was linked to an admin account, which the administrator had not actively used or monitored. The unused Steam account, associated with the admin account, was overtaken by the hackers, allowing them to access the admin panel3 4.

Method of Exploitation

The hackers exploited the Steam account linked to the admin account, changing its credentials without the administrator's knowledge. This was possible because the administrator was not aware of the old, unused Steam account's connection to their admin account3 4.

Impact on Player Accounts

The compromised admin account was used to access multiple player accounts, resulting in issues such as stolen in-game currencies and other assets. The exact extent of the damage is difficult to assess due to a secondary bug that mislabeled audit log events as editable notes, which could be deleted by the hacker. This bug led to the deletion of at least 66 such notes, indicating a significant number of compromised user accounts3 4.

Audit Log Issues

A bug in the system labeled the events of setting new passwords on accounts as notes rather than audit events. This allowed the hacker to delete these notes, effectively erasing any trace of their activities from the audit logs. As a result, the developers are relying on web server logs, which do not capture all the data sent in web requests, making a complete assessment of the breach challenging3.

Mitigation and Response

Upon discovering the breach, GGG immediately took action to secure the accounts. They reset all passwords on the admin accounts and deleted all sessions to ensure no further unauthorized access. This swift response helped prevent any lasting damage to the server-side data and ensured the safety of players' accounts and in-game assets3 4.

Current Status

While the immediate threat has been mitigated, the developers are still conducting further log analysis to gather more data for a comprehensive public report on the incident. Players have been reassured that their accounts and in-game items are currently safe3 4.

In summary, the breach was caused by a compromised customer support account linked to an admin account through an unused Steam account. The hackers exploited this vulnerability, but GGG's prompt response has secured the system, although a full assessment of the breach remains ongoing due to technical issues with the audit logs.