User's phone number leaked from the official website of the popular online game 'Genshin'



Chinese game company

miHoYo basic free-to-play online games, 'which is to develop and operate the original God to the official website of the' specification that can be obtained telephone number from the user name has been discovered.

'Genshin Impact' Exposed Players' Phone Numbers
https://www.vice.com/en/article/3anq59/genshin-impact-data-breach-phone-numbers

Genshin Impact developer says mobile number leak has been plugged | PC Gamer
https://www.pcgamer.com/genshin-impact-appears-to-be-exposing-some-players-mobile-numbers/

Genshin Impact's website has seemingly leaked some players' phone numbers • Eurogamer.net
https://www.eurogamer.net/articles/2020-11-15-genshin-impact-developers-website-has-leaked-some-players-phone-numbers

The problem was found in the password recovery application form on the official website. This password recovery application form is provided for users who have forgotten their password. When you enter your account name, a password recovery code will be sent to the email address or phone number associated with your account.

In the password recovery application form of Genshin, it was a mechanism that the e-mail address or phone number set as the code destination can be confirmed when sending the recovery code, but it was this problem that occurred. This is a display for confirming your e-mail address and phone number. The user who linked the email address to the account had the email address displayed to confirm the code destination partially hidden, but the user who linked the phone number to the account had the phone number hidden. It was displayed without.



With this specification, you can get the user's phone number simply by entering the account name in the password recovery application form. There are reports that you could actually get the phone number by entering the account name of another person, not only the possibility of violating the EU privacy law, but also the concern that the phone number of the original god distributor will be leaked. It has been reported.

On the other hand, this specification does not seem to be common to all users, 'I actually tried using the password recovery application form, but there was no problem because some of the phone numbers were hidden.' 'My phone number was leaked. There are a series of reports that contradict the above. PC Gamers, a game news site, speculates that the cause of the discrepancy is 'the cause is in the residential area.' While there are reports that phone numbers were properly hidden in Indonesia, it is mentioned that phone numbers were not hidden in Asia and North America other than Indonesia.

In Japan, there is no setting to link a phone number to an account, so it is not expected to have a direct impact. In addition, it seems that the bug has already been resolved, and as of November 15, 2020, it is reported that 'although nothing is officially mentioned, it may have been fixed.'

in Web Service,   Game,   Security, Posted by log1k_iy