Recently a Reddit user, called TiltOnPlay, highlighted a vulnerability that makes security worries most concerned about Chinese developer MiHoYo, the developer and publisher of the mega-hit Genshin Impact.
To get an idea of the success of Genshin Impact, just a month after its launch, users have already spent $ 245 million inside the game. Now its developer is being criticized for failing to protect user privacy. TiltOnPlay noticed that when they visited the MiHoYo website and entered their username while trying to reset their password, their full mobile number was visible on the website.
This is a particularly problematic situation because it means that, in theory, if someone wanted to see someone else’s mobile number in the game’s database, they just had to know the user’s name and report it on the website. Shortly after TiltOnPlay revealed this issue, other Genshin Impact players noticed that their numbers were also showing up. Some, however, commented that their numbers were not displayed.
Careless or intentional act?
Andreas Theodorou, a digital privacy expert at ProPrivacy, told Nintendo Life that the case leaves MiHoYo in the hands. “This is not the first time that MiHoYo has been criticized for not protecting users ‘privacy and it shows that they are not concerned about it. By showing users’ personal information, without authentication, they allowed possible stalkers, scammers and other cybercriminals. confidential information and putting Genshin Impact players at risk, ”Theodorou said.
“It would be perfectly possible for cybercriminals to look up the cell phone numbers of specific players and carry out targeted attacks based on information provided by the game developer,” added Theodorou. “Genshin Impact players should pay close attention in the coming months and be on the lookout for any possible fraud or harassment that could occur as a result of these failures.”
Does this problem have a solution?
As MiHoYo often encourages users to link their gaming accounts to the main website, this could further expose users’ private data.
Until the developer finds out what exactly happened and can clearly confirm that the problem has been fixed and will not recur, we suggest that you keep your credentials for yourself and disconnect your mobile number for now.