Data Breach Notification

Why were users not informed of this within 72 hours of GGG becoming aware of the breach, as required by Article 34 GDPR?

"

Pallumx#4803 написал:

This is insanely bad and is being downplayed like crazy as to how significant this actually is.

You admit that the attacker viewed information for a significant number of accounts, yet they only chose to access/modify info for 66 of them? You also said your logs don't keep track of anything after a month, so you truly have no idea how much was actually accessed, correct? This is an absurd statement on the matter and pretty damning.

Two-factor auth could have solved this but you refuse to implement such basic security measures. You're not a "small indie company" anymore, do better, ggg.

They should be forcing a password change across the board at a minimum. Likewise there's clearly no audit process here. In USA Sox law requires audit controls in place including change logs, verifying who has access to a resource and who should not as well as documented process for lockdown and change. None of these standard practices seem to be employed here.

I really don't think they're telling us everything here. I'm pretty sure someone got access to those admin tools that was posted on Reddit, and it didn't happened thru Steam.

"

Pallumx#4803 написал:

They should be forcing a password change across the board at a minimum. Likewise there's clearly no audit process here. In USA Sox law requires audit controls in place including change logs, verifying who has access to a resource and who should not as well as documented process for lockdown and change. None of these standard practices seem to be employed here.

Not only that this breach was making the rounds for weeks, GGG rn are actually in breach of UK and New Zealand laws when it comes to data breaches (both require that you report the breach within 72 hours)

No chance they only came across this "Now" when there own audit logs dont even go back more than 30 days, 2FA needs to be added

"

Cloop123#0584 написал:

"

Pallumx#4803 написал:

They should be forcing a password change across the board at a minimum. Likewise there's clearly no audit process here. In USA Sox law requires audit controls in place including change logs, verifying who has access to a resource and who should not as well as documented process for lockdown and change. None of these standard practices seem to be employed here.

Not only that this breach was making the rounds for weeks, GGG rn are actually in breach of UK and New Zealand laws when it comes to data breaches (both require that you report the breach within 72 hours)

No chance they only came across this "Now" when there own audit logs dont even go back more than 30 days, 2FA needs to be added

Not to mention the laws of every EU country.

A lot of people wants 2FA and I agree, however 2FA wouldn't have helped in this case, unless you would require 2FA for the admin panel!:)

how does this factor in the hacks this week + steam users getting hacked too without triggering steams 2fa ?

"

Bubalame#1135 написал:

.... For all hacked ppl, if ggg dont want to give back your stolen items which have real value coz u put houndreds of hours to grind them.(easy to prove in court market value of those items). You should go to police and made a case for ggg. ...

LOL. There is no "real market value", because its against TOS to sell/buy ingame items or currency. So its very unlikely you will be able to build a case like that.

Hello GGG Team,

I want to begin by acknowledging the recent Data Breach Notification post. It’s a positive first step in addressing what happened, and I appreciate the transparency shown. However, I’d like to raise additional concerns about the direct impact on players who were affected by this incident.

Many compromised players faced accusations—both from the community and, indirectly, through support responses—of engaging in RMT, phishing, or using unauthorized third-party tools. These claims not only exacerbated the frustration but also unfairly shifted responsibility onto the victims during an already challenging situation.

While the apology provided in the post addresses the broader community, it doesn’t seem to specifically acknowledge or apologize to the players who:

- Lost access to their accounts for weeks, with some still locked out.
- Suffered progress loss due to the initial compromises.
- Endured prolonged account locks with limited or no communication.
- Were told to “check their passwords” or “don’t RMT,” implicitly blaming them for the compromises.

This handling left many players feeling unsupported and unfairly judged. While I understand the focus on improving security measures, a direct acknowledgment of the harm caused—both technically and socially—would mean a great deal to those affected.

Are there any plans for compensation or specific outreach to the directly impacted players? The time lost, progress erased, and emotional toll are significant for those who trusted their accounts and time with Path of Exile.

Thank you for your time and consideration. I hope these concerns can be addressed to provide closure for those impacted and to rebuild trust within the community.

Best regards

"

Crainus#7059 написал:

how does this factor in the hacks this week + steam users getting hacked too without triggering steams 2fa ?

I'd take any post of supposed hacking without proof with a very big grain of salt. Especially on bot infested Reddit.