GGG’s Data Breach Statement
GGG has released a Statement about the recent data breach that allowed a malicious actor to gain access to a GGG Support admin account through social engineering. This allowed the perpetrator to change the passwords of lucrative accounts in order to gain access to them without detection. GGG assures that the attack vector has been fixed.
Key Takeaways
- The attacker used social engineering to gain access to an unused Steam Account which was linked to a GGG Admin Account.
- 66 Accounts were directly affected by forceful password changes.
- The attacker additionally was able to view information attached to (presumably) any PoE account such as E-mail, IP Addresses, Steam IDs, Shipping Addresses, Purchase Histories and temporary Unlock Codes.
- This allowed them to potentially search for E-mail addresses of target accounts on data leak websites in hopes that the account holder re-used the same password.
- No passwords or password hashes were viewable, meaning attacker was not able to see the original passwords.
- Private messages on the compromised accounts on were visible to the malicious actor
- The attack vector has been fixed and GGG took measures to prevent this from happening in the future.
Data Breach Notification
Community_Team on
Last week we became aware that a PoE account with admin access to the website owned by one of our developers had been compromised. This gave them access to the tools that our customer support agents use.
We immediately locked the account, and forced password resets on all other admin accounts. We then began an investigation into what had occurred.
The PoE account in question was linked to an old steam account that was created by a developer for testing a long time ago, and didn't have any purchases on it. The compromise occurred when the attacker was able to supply enough information to steam support to steal the account.
Since the account was a regular steam account and had no purchases, phone numbers, addresses or other information associated with it, the only information that they were required to supply was the email, account name and be using a VPN from the same country.
The attacker set random passwords on 66 accounts. Unfortunately there was a bug in the event log for this particular support action that allowed the attacker to delete the event showing that the change had occurred. This bug doesn't exist for other support actions and has been fixed now.
The attacker also viewed account information for a significant number of accounts through our portal.
For those accounts they got access to the following private information:
- Email Address if the account had one associated
- Steam ID if the account had one associated
- IP Addresses that the account had used
- Shipping address if the account had previously had physical goods sent
- Current Unlock Code for unlocking accounts locked due to logging in from a different region
No passwords or password hashes were viewable through the customer service portal.
In addition there are some accounts where the attacker looked at transaction history which would have shown a list of previous purchases.
There are also some accounts where the attacker looked at the private message history on the account. Many of these are for GGG staff.
It is probable that the attacker would be able to compare email addresses found using our portal against publicly available lists of compromised passwords from other websites in order to find accounts that shared the same password with their PoE account. If that was the case, they would have been able to bypass the region locking using the unlock code.
We have taken steps to ensure that there are more security measures around admin accounts so that this can not happen again. No 3rd party accounts are allowed to be linked to any staff accounts and we have added significantly more stringent IP restrictions.
We are incredibly sorry for this lapse in security. The measures taken to secure the admin website really should have already been in place and in the future we will be taking even more steps to make sure that this kind of issue never occurs again.
Path of Exile Coverage
GGG's Data Breach Statement detailed how such an attack could have happened, and what they have done in order to prevent similar attacks in the future. Looking for more news on Path of Exile 2 Patches or Hotfixes? Then head over to our Discord and select the Path of Exile 2 role in #roles to stay up to date with our content development. Stay sane, Exile!
Written by: Cptn Garbage
Reviewed by: Tenkiei