Genshin Impact fails to protect players’ phone numbers in big security flaw

Update: According to the developer, this is now fixed. MiHoYo has stated that it took “immediate action to fix the problem.” (via GamesIndustry.biz)


Multiple players are reporting that Genshin Impact isn’t properly protecting the privacy of their phone numbers, with developer Mihoyo allegedly failing to censor their digits. This means that some players who have registered for the game on iOS or Android may be vulnerable to having their full phone number revealed.

Genshin Impact is a free-to-play JRPG that has been around for several months. Most recently, it was released in the West and has become explosively popular; a handful of new characters were recently revealed in a leak before being officially confirmed prior to the launch of the 1.1 patch. Now, it’s come to light that Mihoyo may not have the best account security in place for some mobile players.

Why this Genshin Impact phone number security flaw is a problem

Genshin Impact phone number reportedly not protected security

A password recovery form will typically censor a player’s e-mail address or phone number. For example, the e-mail [email protected] might be shown on screen as ji******[email protected]; similarly, a phone number of 123-456-7890 would be shown as 12*-***-**90. Unfortunately, players in several countries are reporting that Genshin Impact phone number censorship isn’t working in some regions. This means that full phone numbers are displayed, which would theoretically allow users to enter generic usernames and obtain the phone numbers of accounts with their numbers linked.

A discussion on Reddit begins with a player who attempted to recover their password only to discover that the account recovery page was showing their full phone number. Several other players from Australia, Asia, and the EU have reported that their phone numbers are similarly visible on the account recovery page; however, other players — most notably in Indonesia and other unnamed EU countries — are saying that their phone numbers are properly censored.

Based on player reporting thus far, it appears that certain countries might not have phone numbers censored on the account recovery page while other countries do. Uncensored phone numbers can be an issue for two reasons: a malicious actor could call you unsolicited or sell your phone number to a third party. A more technically-adept hacker could potentially intercept your SMS messages and consequently gain access to your account.

Thankfully, this issue seems to be limited to a handful of countries and only to players who signed up for the game with a phone number rather than an e-mail. Mihoyo has shown a willingness to respond to player complaints about technical issues; earlier this year, it changed the way its PC anti-cheat system worked after player feedback. Players are currently contacting Mihoyo in an effort to get this issue resolved as soon as possible.