Announcements - Data Breach Notification - Forum

https://www.privacy.org.nz/responsibilities/privacy-breaches/ “What is a privacy breach? A privacy breach occurs when an organisation or individual either intentionally or accidentally: - Provides unauthorised or accidental access to someone's personal information. - Discloses, alters, loses or destroys someone's personal information - A privacy breach also occurs when someone is unable to access their personal information due to, for example, their account being hacked.“ “Under the Privacy Act 2020, if your organisation or business has a privacy breach that either has caused or is likely to cause anyone serious harm, you must notify the Privacy Commissioner and any affected people as soon as you are practically able.” “What is serious harm? The unwanted sharing, exposure or loss of access to people’s personal information may cause individuals or groups serious harm. Some information is more sensitive than others and therefore more likely to cause people serious harm. Examples of serious harm include: - Physical harm or intimidation - Financial fraud including unauthorised credit card transactions or credit fraud - Family violence - Psychological, or emotional harm“ This incident likely falls within the bounds of New Zealand’s Privacy Act notifiable data breach criteria, and GGG may be in breach of several aspects. Affected customers should be directly notified. The Privacy Commissioner should have been informed no later than 72 hours after GGG became aware of the breach.	Posted by PropaneMilo#1279 on Jan 14, 2025, 11:02:45 PM Quote this Post
Some of you really need to relax. Shit happens. They took responsibility. They're taking steps to move forward. You guys act like your data isn't already out there from however many other breaches.	Posted by green_bloodshed#1928 on Jan 14, 2025, 11:08:09 PM Quote this Post
Thank you for your extreme transparency on the data breach but this is concerning: " The attacker also viewed account information for a significant number of accounts through our portal. For those accounts they got access to the following private information: * Email Address if the account had one associated * Steam ID if the account had one associated * IP Addresses that the account had used * Shipping address if the account had previously had physical goods sent * Current Unlock Code for unlocking accounts locked due to logging in from a different region In addition there are some accounts where the attacker looked at transaction history which would have shown a list of previous purchases. Are the affected people going to be notified of this? Having someone's full real world information leaked plus the whole transaction history is a huge issue. (Not to mention that this info is required by GGG support to prove account ownership.) My Forum Thread \| https://www.pathofexile.com/forum/view-thread/3289135 My Hideout Showcase \| https://hideoutshowcase.com/viewprofile/RevanBane Hideout Community Discord \| https://discord.gg/8McTXAKFbG	Posted by RevanBane#2931 on Jan 14, 2025, 11:11:22 PM Quote this Post
This is a serious failing in understanding by your staff on basic security. It is also an insight into your internal testing of security. Trust has been compromised. I suggest you bring in 3rd party auditors to go over your internal security and make the results public.	Posted by Myekos#3993 on Jan 14, 2025, 11:21:14 PM Quote this Post
Patch notes when?	Posted by MadBone#1526 on Jan 14, 2025, 11:26:31 PM Quote this Post
So the 2 Mirrors and all other gear/currency that was taken from me a year ago might have been taken by this hacker. The most frustrating experience about getting my account back was the lack of help from support in identifying if my account was accessed via Steam or Login, despite players now knowing that Support has access to Account Login History. Support kept insisting that it was my fault that my account was breached, despite me having used: - Unique email - Unique password - Emails forwarded to a second email (no login key was ever received) I really hope steps are taken to ensure this never happens again. It was bad enough losing all my stuff, but being assigned the blame for it was even worse. Last edited by TheXIIILightning#5005 on Jan 15, 2025, 12:19:10 AM	Posted by TheXIIILightning#5005 on Jan 14, 2025, 11:28:30 PM Quote this Post
Beyond the fact it happened. What bothers me the most, is that beyond the hack, their own logging policy's weren't protected from editing... ANY sys admin knows that logs need to be write only, never modify. Like that actually blew my mind, how badly are you running your systems to fail logging 101. They might be good at making games, but as sysadmins, this is a failing grade at the most basic stuff.	Posted by Offskee#9795 on Jan 14, 2025, 11:31:22 PM Quote this Post
Hope my account wasn’t compromised by attacker :x It will convert your forum titles into decorative square badges that use the space next to your forum posts more economically so that you can show off an unlimited number of them at any one time. - GGG, 2018 (https://www.pathofexile.com/forum/view-thread/3573673)	Posted by Jerle#2906 on Jan 14, 2025, 11:32:05 PM Quote this Post
" Unfortunately there was a bug in the event log for this particular support action that allowed the attacker to delete the event showing that the change had occurred. More likely it was overlooked than the possibility of it being a specific bug. Calling it a "bug" was for future liability reasons. I appreciate that they tell us at all what happened. I'm sadly used to Blizzard responses, which isn't much more than we are working on it or already have. They almost never reveal how hacks happen.	Posted by cornersss#2530 on Jan 14, 2025, 11:56:31 PM Quote this Post
My poe 2 account was locked since 22 dec for 3 weeks, i had to make this account to post on forums. i emailed to support on 2 different emails all providing infos regarding what happened, gave payment receipts from paypal and in game character details. after 3-4 back and forth emails, i thought all necessary info needed was given, yet the latest email asked for more info. Why arent all necessary questions needed all asked at once? now how long more do i have to wait? why arent support prioritizing those who emailed first, i learnt not to send follow up emails to reset my position, why is there someone who email later and got theirs resolved first? after so long, i do not expect a compensation tho i honestly think some small compensation is only right after so long? lets say no compensation, the least you guys can do is let me play the game i paid for by unlocking my account first and refund me unauthorized purchases of 4 EA keys on 19 dec. it was bought via my poe 2 acc, i play via steam, never touched standalone client before even in the brief playthrough in poe 1, no purchase history on my steam history besides first key. scanned pc for malware - clean, did not use 3rd party apps and i only used poe 2 trade website. if the next email still asks me for info to prove that im the owner of this account, i will be so f mad, that i think u guys are just toying with me or stalling for whatever reason. i gave u what i can remember from the 3 week of no login, how much more or longer can i remember those details? but i did made a typo in my latest email reply - i wanted to say i purchase all variations of stash tabs but instead i typed guild tabs. THANK F i saved my poe 2 profile website as a bookmark for convenience, i didnt even know thrs a # 4 digit number attached. unlock my account and let me play akatsuki_wei#5715	Posted by Akatsuki_wei2#5672 on Jan 14, 2025, 11:57:04 PM Quote this Post