The Chinese RPG sensation Genshin Impact has once again caused some consternation with its users, this time over a fairly serious leak of personal information during routine password recovery processes.
A user on Reddit sounded the alarm after they attempted to recover the password for their MiHoYo account through the web browser on their smartphone. The password recovery screen showed their full phone number, which had been linked to their account, meaning anyone who entered their publicly available username could access this information.
The bug did not appear to be universal, but did seem to be present for various users on North American, European, and Asian servers. No commonality between the affected users has been reported. Another Reddit user observed the error a month ago, but it did not appear to get the same traction.
MiHoYo has apparently fixed the problem at this point. In a statement to Gamesindustry.biz, they said, "[The] team has already noticed the systematic issue which might accidentally reveal users' phone number. [The] team took immediate action to fix the problem, and so far the issue should be resolved now."
This is, however, not the first time MiHoYo has caught the ire of security-conscious players. Right after release, PC players noticed the anti-cheat component of the game continued running after quitting out of the game or uninstalling it. MiHoYo apologized and corrected the problem.
Food For Thought
The more recent Reddit story (which apparently got MiHoYo into action) did provide a screenshot showing the browser tab was using an HTTPS connection, so the delivery of the data wasn't completely insecure. Nonetheless, it's sloppy work, especially given the potential vulnerabilities of smartphones. \More troubling, though, is a chunk of boilerplate in MiHoYo's Terms of Service, which state players may not "Exploit, distribute or publicly inform third-parties of any game error, miscue or bug, regardless of an intended advantage or not." The argument that such a clause is necessary to reduce cheating is ridiculous in the face of various data and consumer protection laws (such as Europe's GDPR), and could potentially lead to more serious trouble for MiHoYo and other companies.