Genshin Impact developer accused of risking players' privacy

[Marc]

The report comes from someone who went to MiHoYo's website and entered their username to reset their password. It had shown the mobile phone number associated with their account in full Therefore anyone would be able to access any player's connected phone number.

Andreas, a Digital Privacy Expert at ProPrivacy shared the following with Nintendo Life:

This is not the first time MiHoYo has been criticized for failing to secure users’ privacy and shows how little concern they pay. By showing users’ personal information, with no authentication, they have allowed potential stalkers, scammers, and other cybercriminals access to sensitive information, and carelessly put Genshin players at risk.

"It was entirely possible for cybercriminals to search for specific players’ phone numbers and implement targeted attacks based on the information MiHoYo had provided. Genshin players should take great care over the coming months and be wary of any potential scams or harassment that may come about because of MiHoYo’s failings.

If you have a phone number associated with your account, I'd recommend unlinking it until they show effort of resolving the situation. Your phone number could be used to get more private information about you, or for spam related marketing activities.

What do you think about MiHoYo's lack of phone number privacy?

 

[Jisenku]

This is actually really surprising to me because MiHoYo is a well-known developer (They worked on another game called Honkai Impact, a very popular game) and this sort of leak seems very unusual. This isn't a situation that is affecting all accounts however, some seem to be still censored correctly, and it seems to be a situation with the coding

Reddit user TiltOnPlay reported the breach online yesterday, explaining that when visiting MiHoYo's website and entering their username while attempting to reset a password, their mobile number associated with their account was shown in full. This would theoretically suggest that anyone could access a player's mobile number by simply knowing their username and typing it into the website.

The post gathered lots of attention from other Genshin Impact players, who began to report on their own findings. It appears that some players' numbers were censored correctly, while others weren't, indicating that not all accounts had been affected. At the time of writing, players believe that the issue may have been fixed, although there still appears to be plenty of confusion over how and why the personal data was exposed.

It doesn't seem like MiHoYo was purposefully being lazy with their security measures, I just feel as though people are making it that way because of the type of Anti-Cheat that they use is known to be invasive with your privacy, which they have taken action on, as quoted here from MiHoYo themselves

"The game's anti-cheat program will immediately end once the game client is closed or uninstalled," "We sincerely apologize for any inconvenience caused by this issue. We will do our utmost to prevent such issues from occurring again in the future, and will continue optimizing our workflow to bring the highest-quality gaming experience possible to all of our Travelers."

I believe that this wasn't something that MiHoYo meant to do, and I feel as though this is an honest mistake made by the company, especially since Genshin Impact is a game that is growing so quickly, maybe they didn't have time to look over all of that, because they are also having to deal with making the gameplay experience as stable and expansive as possible for the players.


EDIT: Got more information on the matter

Posted by u/TiltOnPlay
1 day ago
If you linked via mobile, your phone numbers are publically visible to everyone
Seems to be fixed now (Was affecting some phone numbers)
This has to be some sort of mistake right? Right now, if you were to go to the miHoYo account website --> forgot password --> and then enter your username, the email would be partially censored.

However, if you linked a mobile number, it is NOT censored at all. So if you have a common username or your username on Genshin is the same on another service such as Reddit, anyone on the internet can see your phone number. You can see for yourself right now on the website.

Having private information exposed this easily on the internet isn't ok.

Probably the wise thing to do right now is to unlink your phone number for now. Hopefully miHoYo does something about this.

Proof:

https://imgur.com/a/nVwZIJg

edit: some regions seem to have their phone numbers censored. EU and NA numbers are not censored, possibly Asia too?

Check here https://account.mihoyo.com/?lang=en#/forgetPassword

If your mobile number is displayed without any asterisks ***, please unlink your phone number on miHoYo's website or in-game.

EDIT: This seems to be fixed now? I've relinked my mobile number and now it seems to be asterisked partially. Still going to keep it unlinked just in case. However, this issue most likely has been in the game for weeks if not since launch, the fact that mHY hasn't said anything is very concerning.

Probably a good idea for miHoYo to finally add some sort of Two Factor Authentication to let us feel a bit more secure. To provide feedback to mHY, it seems most efficient to go in game --> menu --> feedback (bottom right, should open a page in your browser) --> on the page that opened click submit feedback --> proceed to submit

According to the post above, the issue is now fixed however, you might still want to be careful with linking your account.

 

[phofufury]

that is just messed up. Security should always come first, and its irresponsible and can lead to some people thinking that you would be selling their info, or even worst stuff. im always considering my privacy, and second thinking about giving my email. (tho i gave my email, luckily its a junk email, to several sites that wont let u delete ur acc or change ur info......)

 

[Jisenku]

OK, I cannot stress enough that this issue was dealt with almost immediately after it was discovered. After a few hours after the original Redditor reported the glitch, the issue seems to have been dealt with in a timely manner. If there are still accounts with their phone numbers still showing... then that's going to be an issue obviously.