Hacker Broke into Path of Exile 2 Admin Account, Hijacked Wave of Characters
www.404media.co
A hacker compromised an administrative account on the website for popular game Path of Exile 2, which allowed them to reset the passwords on dozens of players accounts, according to comments from developer Grinding Gear Games (GGG) made during a podcast on Sunday. This access would have given the hacker the ability to steal powerful and rare items from those players, with some players spending hundreds of hours grinding for valuable in-game currency.The news comes after a wave of Path of Exile 2 players complained on the games forums and social media about being hacked and their inventories emptied. The comments also show how the hacker compromised the account shortly before the games launch, seemingly laying in wait for players to build up their stashes of items before pulling off their heist.We totally fucked up here, Path of Exile 2 game director Jonathan Rogers said during a podcast recording with action roleplaying game (ARPG) content creators GhazzyTV and Darth Microtransaction.Rogers said the hack started with the compromise of a Steam account. That Steam was linked to an administrative account on Path of Exile 2s website, he said. This gave the hacker the ability to do things like reset players passwords, meaning they could then log into the game as those players. Effectively what they had access to was the same stuff that customer service had access to, Rogers said.Ordinarily, whenever a member of Path of Exile 2s support staff makes a change, that event is added to a list for potential later auditing. But when it came to resetting passwords, a bug meant that change was saved as a note and not an event, Rogers said. The hacker was then able to delete the note saying a password had been changed, an apparent attempt by the hacker to cover their tracks too. Because of this, it wasnt immediately obvious to GGG what was happening with these account compromises, Rogers said.Do you know anything else about this hack? I would love to hear from you. Using a non-work device, you can message me securely on Signal at +44 20 8133 5190. Otherwise, send me an email at joseph@404media.co.66 notes were deleted, so that would imply that 66 accounts were compromised, Rogers said, although caveated that GGG only keeps logs for 30 days. Interestingly, the compromise was all prelaunch of POE2, Rogers said, meaning that the hacker gained access before the game was even available to the public.Path of Exile 2 has been in the news lately after mounting evidence that Elon Musk, who presents himself as a high level ARPG player, has likely been cheating in the game.Path of Exile 2 launched in early access in November and has remained one of the most popular games on Steam, reaching between 250,000 and 290,000 players over the past week, according to data on Steam player count site SteamDB. In it, players command a variety of classes like Sorceror, Warrior, or Witch, and trawl through dungeons looking for ever increasingly powerful loot, much in the style of other ARPGs like Diablo.Path of Exile 2 differs slightly in that it has a much stronger emphasis on trading with other players, which is basically essentially for making a character stronger unless players deliberately avoid trading for the increased challenge. This trade is facilitated by the official Path of Exile 2 website.Players typically trade items for a rare consumable called a Divine Orb which can further improve their gear, making it the de facto currency of the Path of Exile 2 economy. A side effect is that many websites exist where people can pay real money for Divine Orbs, which they then use to trade for gear on the Path of Exile 2 trade site.Multiple Path of Exile 2 players have recently complained of hackers breaking into their accounts and emptying their stashes of Divine Orbs. My exalted and divine all gone, one person wrote on the Path of Exile 2 forum in December, with Exalted Orbs being another in-game consumable.We totally fucked up here.In other cases hackers have stolen gear from players. In one a hacker stole a particular ring. That player then found what they said was the exact same ring being sold on the Path of Exile 2 trade website, according to a post on the Path of Exile 2 subreddit. That post has since been deleted by the subreddit moderators, and moderators have also deleted similar posts on the official forum. In some cases these posts named what victims believed was the hackers account.Rogers said GGG is immediately adding two-factor authentication to all of its support accounts. You can bet on that, he said. Rogers said he also wants to introduce two-factor authentication for player accounts, but that comes with the additional complexity of implementing ways for players to recover their account when they inevitably lose that second factor, such as a backup code or phone number.GGG did not immediately respond to a request for comment.Joseph is an award-winning investigative journalist focused on generating impact. His work has triggered hundreds of millions of dollars worth of fines, shut down tech companies, and much more.More from Joseph Cox
0 Comments
·0 Shares
·37 Views