A Reddit user named TiltOnPlay recently highlighted a vulnerability that casts a serious shadow on Chinese developer MiHoYo, the developer and publisher behind the mega-successful game, Genshin Impact.
To give you an idea of how successful we're talking: only one month after its launch, users have spent $245 million on Genshin Impact. But now its developer is being criticized for failing to protect users' privacy. TiltOnPlay noted that when they visited the MiHoYo website and entered their own username while attempting to reset their password, their full mobile number would become transparent on the website.
This is a particularly troublesome situation because it means that, theoretically, if someone wanted to see someone else's mobile number in the Genshin Impact database, all they would need to do is know their username and feed it to the website. Soon after TiltOnPlay revealed this issue, other Genshin Impact players noted that their numbers would display as well. There were a few, however, who noted that their numbers were censored.
This shouldn't happen — Andreas Theodorou, who is a digital privacy expert at ProPrivacy, told Nintendo Life that the entire ordeal reflects poorly on MiHoYo. "This is not the first time MiHoYo has been criticized for failing to secure users’ privacy and shows how little concern they pay. By showing users’ personal information, with no authentication, they have allowed potential stalkers, scammers, and other cybercriminals access to sensitive information, and carelessly put Genshin players at risk," Theodorou said.
"It was entirely possible for cybercriminals to search for specific players’ phone numbers and implement targeted attacks based on the information MiHoYo had provided," Theodorou added. "Genshin players should take great care over the coming months and be wary of any potential scams or harassment that may come about because of MiHoYo’s failings."
What you should do — Given that MiHoYo frequently encourages users to link their game accounts to the main website, this could potentially expose even more users' private data. Until the developer figures out what exactly happened and can clearly confirm that the problem has been solved and will not be repeated, we suggest that you keep your credentials to yourself and unlink your mobile number for now.