Data Breach Notification

Last week we became aware that a PoE account with admin access to the website owned by one of our developers had been compromised. This gave them access to the tools that our customer support agents use.

We immediately locked the account, and forced password resets on all other admin accounts. We then began an investigation into what had occurred.

The PoE account in question was linked to an old steam account that was created by a developer for testing a long time ago, and didn't have any purchases on it. The compromise occurred when the attacker was able to supply enough information to steam support to steal the account.

Since the account was a regular steam account and had no purchases, phone numbers, addresses or other information associated with it, the only information that they were required to supply was the email, account name and be using a VPN from the same country.

The attacker set random passwords on 66 accounts. Unfortunately there was a bug in the event log for this particular support action that allowed the attacker to delete the event showing that the change had occurred. This bug doesn't exist for other support actions and has been fixed now.

The attacker also viewed account information for a significant number of accounts through our portal.

For those accounts they got access to the following private information:

• Email Address if the account had one associated
• Steam ID if the account had one associated
• IP Addresses that the account had used
• Shipping address if the account had previously had physical goods sent
• Current Unlock Code for unlocking accounts locked due to logging in from a different region

No passwords or password hashes were viewable through the customer service portal.

In addition there are some accounts where the attacker looked at transaction history which would have shown a list of previous purchases.

There are also some accounts where the attacker looked at the private message history on the account. Many of these are for GGG staff.

It is probable that the attacker would be able to compare email addresses found using our portal against publicly available lists of compromised passwords from other websites in order to find accounts that shared the same password with their PoE account. If that was the case, they would have been able to bypass the region locking using the unlock code.

We have taken steps to ensure that there are more security measures around admin accounts so that this can not happen again. No 3rd party accounts are allowed to be linked to any staff accounts and we have added significantly more stringent IP restrictions.

We are incredibly sorry for this lapse in security. The measures taken to secure the admin website really should have already been in place and in the future we will be taking even more steps to make sure that this kind of issue never occurs again.