Full Report
Path of Exile 2 developers confirmed that a hacked admin account allowed a threat actor to change the password and access at least 66 accounts, finally explaining how PoE 2 accounts have been breached since November. [...]
Analysis Summary
# Incident Report: Stolen Path of Exile 2 Admin Account Compromise
## Executive Summary
An incident occurred where a stolen administrator account for the upcoming game *Path of Exile 2* was used by threat actors to compromise player accounts. The attackers leveraged the elevated privileges of the compromised admin account to access and potentially manipulate user data. The primary response involved immediate action by the developers, Grinding Gear Games, to secure systems and protect existing player data.
## Incident Details
- Discovery Date: Not explicitly stated, but detection occurred immediately following the compromise of the admin credential.
- Incident Date: Occurred shortly before public reports of player account compromises.
- Affected Organization: Grinding Gear Games (Developer of Path of Exile 2).
- Sector: Gaming / Software Development.
- Geography: Global (affecting their user base).
## Timeline of Events
### Initial Access
- Date/Time: Undisclosed.
- Vector: Theft/compromise of a *Path of Exile 2* administrator account credential.
- Details: The exact method of initial credential compromise (e.g., phishing, internal leak) is not detailed, only that the admin account was stolen.
### Lateral Movement
- Details: The attacker utilized the high-privilege admin account to access systems affecting player accounts, suggesting direct access to user-facing infrastructure or administrative consoles.
### Data Exfiltration/Impact
- Details: Player accounts were compromised, and while Grinding Gear Games stated they secured the systems before widespread data loss, the potential impact involved unauthorized access to player data linked to those accounts.
### Detection & Response
- Detection Method: The incident became public when players started observing unauthorized activity or unauthorized changes on their accounts, prompting developer investigation.
- Response Actions: Grinding Gear Games quickly secured the compromised systems and confirmed the scope of the breach originating from the stolen admin access.
## Attack Methodology
- Initial Access: Compromised Administrator Credential.
- Persistence: Not detailed, but likely maintained as long as the stolen credential remained active or until the developer revoked access.
- Privilege Escalation: N/A - Attackers started with elevated administrator privileges.
- Defense Evasion: Not detailed.
- Credential Access: Initial access involved acquiring valid admin credentials through an undisclosed method.
- Discovery: Not detailed.
- Lateral Movement: Movement occurred via secured administrative tools or systems.
- Collection: Access was used to interact with player account databases/systems.
- Exfiltration: Potential unauthorized reading/manipulation of player account information.
- Impact: Compromise of player accounts.
## Impact Assessment
- Financial: Not disclosed.
- Data Breach: Unauthorized access to sensitive player account information. The scope of permanent data loss was mitigated by a swift response, according to the developer.
- Operational: Temporary operational disruption due to the need to immediately secure and audit administrative access points.
- Reputational: Negative impact due to the perceived insecurity of administrative controls protecting player data, especially pre-launch.
## Indicators of Compromise
(No specific indicators provided in the summary description. Indicators would pertain to the compromised admin user session and subsequent administrative activity.)
- Network indicators: [Not provided]
- File indicators: [Not provided]
- Behavioral indicators: Use of high-privilege administrative actions outside of normal operational hours or by unauthorized personnel.
## Response Actions
- Containment (Implied): Revocation of the compromised administrator credentials and securing the systems where those credentials had access.
- Eradication (Implied): Auditing all recent actions performed under the compromised account.
- Recovery (Implied): Not detailed, but likely involved confirming system integrity post-compromise.
## Lessons Learned
- The security surrounding administrative credentials, particularly for pre-release assets like *Path of Exile 2*, must be exceptionally tight.
- A single compromised high-privilege account can lead directly to widespread compromise of user data.
## Recommendations
- Implement mandatory Multi-Factor Authentication (MFA) on all administrator and development accounts, regardless of perceived internal network security.
- Conduct immediate audits of all privileged access credentials following any security incident involving administrative systems.
- Review the segregation of duties for administrative accounts, ensuring that access to player data is not unnecessarily bundled with development tool access.