The website for miHoYo, the developer behind phenomenally popular online video game Genshin Impact, exposed the full number of multiple players for at least several weeks.
"At the time I tried a couple of random usernames [from the Genshin Impact subreddit], and I was able to see their numbers as well," skydtlee, a Reddit user who originally flagged the issue in October, told Motherboard in an online chat.
Although it's unclear how many users were impacted, the issue generally revolved around the forgotten password mechanism on the miHoYo website. On Monday, TiltOnPlay, another Genshin Impact player, also discovered the issue.
Do you know about any other security issues with Genshin Impact? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on firstname.lastname@example.org, or email email@example.com.
"Right now, if you were to go to the miHoYo account website; forgot password; and then enter your username, the email would be partially censored. However, if you linked a mobile number, it is NOT censored at all," they wrote in their Reddit post.
"When I tested it by myself I was able to see my whole phone number without any censorship," MaitieS, another player, told Motherboard. MaitieS provided a screenshot of what they said was the miHoYo website displaying their phone number.
Potentially the issue could allow people to discover the private phone numbers of, say, high profile Genshin Impact streamers if they linked a phone number to their account.
MiHoYo did not respond to a request for comment. But multiple users, including TiltOnPlay, said that the issue was now resolved, at least for their own accounts.