Potential User Data Breach

While we have no evidence that private user information was taken, we cannot rule this out. The personal information that we store can include:
  • An email address.
  • A salted and hashed password.
  • Recent IP addresses used to access the game and website.
  • For users who have had goods shipped to them, a name and physical address.

To reiterate, we have no evidence that the above data was accessed, but our investigation is still ongoing.

We believe that the time period that the attacker had access to this information was the ten days from March 13 to March 23 (NZT).

We do not store any payment information like credit card numbers. It is stored at the external payment processors we use. There is no way that credit card information could have been accessed.

Our passwords are salted and hashed, which means that if the password data were stolen, the passwords would need to be brute-forced before they could be used. Due to the salting, this would have to be done for each user individually. Such bruteforcing would take tens of years or longer for secure passwords, but may be a matter of days or weeks of computation (per user) for weak passwords. Weak passwords are ones like "password123" that are easy to guess. The longer and more complex the password, the better.

We have no evidence the password database was accessed and are not aware of any compromised Path of Exile accounts, so we are not forcing all users to change their passwords at this stage. However, we would recommend changing your Path of Exile password if it's weak. If you're sharing this password with other services then we recommend you change those also. We always suggest you use a unique password for Path of Exile (regardless of whether it's weak or not).

We are truly sorry about this potential breach of personal information. It should not have occurred and we are working to ensure it will not happen again.
Lead Developer. Follow us on: Twitter | YouTube | Facebook | Contact Support if you need help!
Last edited by Chris on Mar 28, 2017, 4:29:22 PM
Last bumped on Apr 21, 2017, 8:25:19 PM
"
Sexcalibure wrote:
So will 3.0 be delayed?


I hope not. The team have been able to mostly work through this uninterrupted. There are some parts of our build infrastructure that are still down, but that doesn't stop people creating content.

"
Nephalim wrote:
Should we change your passwords now just to be safe even if it was strong?


It's always good to change your passwords often, so definitely.
Lead Developer. Follow us on: Twitter | YouTube | Facebook | Contact Support if you need help!
"
I_NO wrote:
So does this mean they also had steam password access if your game is connected to steam? PW wise.


They couldn't get your Steam password. We don't know those on our end.
Lead Developer. Follow us on: Twitter | YouTube | Facebook | Contact Support if you need help!

Report Forum Post

Report Account:

Report Type

Additional Info