Chinese developer MiHoYo, which recently launched Genshin Impact on PS4 and mobile devices, has been accused of a data breach that may have risked players’ privacy.
Reddit user TiltOnPlay reported the breach online yesterday, explaining that when visiting MiHoYo’s website and entering their username while attempting to reset a password, their mobile number associated with their account was shown in full. This would theoretically suggest that anyone could access a player’s mobile number by simply knowing their username and typing it into the website.
The post gathered lots of attention from other Genshin Impact players, who began to report on their own findings. It appears that some players’ numbers were censored correctly, while others weren’t, indicating that not all accounts had been affected. At the time of writing, players believe that the issue may have been fixed, although there still appears to be plenty of confusion over how and why the personal data was exposed.
In a comment shared with Nintendo Life, Digital Privacy Expert at ProPrivacy, Andreas Theodorou, says that the situation shows the “little concern” MiHoYo pays to its users. Theodorou warns players to “take great care over the coming months”, which might be something to keep in mind when the Switch version eventually drops.
“This is not the first time MiHoYo has been criticized for failing to secure users’ privacy and shows how little concern they pay. By showing users’ personal information, with no authentication, they have allowed potential stalkers, scammers, and other cybercriminals access to sensitive information, and carelessly put Genshin players at risk.
“It was entirely possible for cybercriminals to search for specific players’ phone numbers and implement targeted attacks based on the information MiHoYo had provided. Genshin players should take great care over the coming months and be wary of any potential scams or harassment that may come about because of MiHoYo’s failings.”