Earlier this month, we reported that Mihoyo quietly fixed an issue that caused Genshin Impact players’ email address to be made publicly available. This, combined with the fact that the game currently lacks two-factor authentication, means that it was relatively easy for people online to brute force the passwords of players all over the world. As a result, dozens of people have reported losses ranging from several hundred to several thousands of dollars – all of which the developer currently refuses to refund.
After publishing our original report, we spoke to affected players about their loss. At present, the Genshin Impact subreddit suppresses the vast majority of posts pertaining to hacked accounts, with an official mod stating that they have already received “too many of these posts.”
Because of this, a new subreddit called GenshinHacked has since been set up. As of December 7, the subreddit had 125 members, with over 50 of them reporting experiences of being hacked. The group has since expanded to include almost 400 people, all of whom have lost items they spent real money on to hackers who were able to obtain their account information through no fault of their own.
“There’s info about the length of time people wait and I also have a full email chain with Mihoyo telling me it won’t do anything for players who have spent hundreds of dollars on the game,” subreddit creator Kaiurai tells me.
The email chain shows Kaiurai’s attempts to inform Genshin support of the issue, and also displays Mihoyo’s evident disinterest in rectifying the situation – despite the fact that it’s a direct result of its own damning lapses in security.
In the above email, Mihoyo claims that it can’t help and that it is up to the player to maintain the confidentiality of their own account details. However, it is important to reiterate that this player did not provide these details to anybody. Because Mihoyo’s login system allowed people online to access both the phone numbers and email addresses of players, and did not offer a two-factor authentication option, this could theoretically happen to anyone who plays the game.
After two follow-ups over nine days, Mihoyo eventually responded to Kaiurai.
As you can see, the developer is ignoring the issue – that accounts with hundreds, if not thousands of dollars attached to them are being stolen – and assuming that the fault lies with players, which is not the case given the easily exploitable security measures in place.
The rest of the email thread goes back and forth on the issue with the same bureaucratic, beat-around-the-bush replies as Mihoyo continues to deny accountability all the while. When Kaiurai asked if they could have their weapons back, Mihoyo said it wasn’t possible, despite the fact that a gift system in which players – including individual players – can receive specific items via their in-game inbox, as proven by the birthday cake people get once a year. Mihoyo also said Kaiurai could have used the weapon lock mechanic to prevent themselves from accidentally using a 5-star weapon to upgrade a weak one, but because this was the work of a hacker, that security measure accomplishes literally nothing – they can just uncheck the box.
After claiming that it couldn’t help again, Mihoyo said:
”Thank you for taking the time to contact us. We all do appreciate your support as always. Extremely sorry for what happened, but as in our Terms of service we sent to you before, ‘You are responsible for maintaining the confidentiality of your Account information and if any third-parties use your Account or otherwise access to your Account, you may not claim compensation from miHoYo.’ Hope you understand this matter, we apologize for the inconvenience. ༼☯﹏☯༽”
This issue has happened to potentially hundreds of people over the last few months. Although the Genshin Impact subreddit usually suppresses posts pertaining to hacking, one post was simply too damning to ignore, as it included video footage of Mihoyo refusing to reimburse someone because the person who hacked their account had since topped it up.
“However, from the time your account is taken by someone there are many top-up(s),” the message from Mihoyo support reads. “And this is [a] dispute account situation, so we couldn’t help in this situation.”
The poster went on to share their final conversation with Mihoyo, during which the developer said that the information they provided was inconsistent – despite previously acknowledging that the account had been hacked – and closed the ticket without allowing the player to submit any further inquiries.
Kaiurai sent us a list of all of the items they lost as a result of the hack, which, when put in perspective, accounted for two battle passes – 12 weeks of play and £22 – as well as over £500 worth of Primogems.
“The 5-star weapons were all on the standard banner, so that’s 90 wishes for each of those,” they explain. “[That’s] 270 wishes. Each wish costs 160 primogems so that’s 43,200. For the crafted ones, there’s three chances to get a drop every week and they very rarely drop, so we can assume there’s one every two weeks at most. Basically, it’s £550 to get the stuff I lost back.” As Kaiurai says above, there’s also a massive time investment required to get back to where they were.
As for why the hacks occurred, Kaiurai can only think of two possibilities.
“They were a moron and didn’t know how to unlink my phone and email so they could change my password,” they explain. “I assumed it was because I had both linked they couldn’t change it, but it’s been proved that even with both linked, you used to be able to remove them without any email or phone trigger.” The other possibility is that someone might have had it out for Kaiurai, who is a small streamer, although they doubt this.
“I feel like if someone is actually out to get me it’s a weird way of going about it,” they say. “If it was targeted, they had my email. Why my Genshin account when presumably they could’ve tried, well… anything else of real value? I think it’s a hacker that wanted to steal it but couldn’t. Decided if he couldn’t have my stuff I couldn’t either.”
Kaiurai directed me to another player, TravisC98, who reports experiencing similar frustrations with Mihoyo. When I reached out to Travis, they explained that they’ve spent somewhere between $1,500 and $2,000 on Genshin Impact, all of which has now been flushed down the drain. Like Kaiurai, they put the hacker’s actions down to a failed attempt at theft.
“They likely couldn’t steal my account (at least that’s what I assume), and used my 5-star weapons and a large portion of my 5-star artifacts as materials to level up lower rarity weapons and artifacts,” Travis tells me. They filed a report for the thousands of dollars they lost on November 26, which was met with the following response from Mihoyo on December 3:
“Greetings traveler, we have received your feedback and we are deeply sorry for your loss. Currently we do not have [a] data rewinding service. However since the value of your loss is significant we will keep your ticket on record and help you if in the future once we have [a] data rewinding function. We will submit your issue to see if further measures could be taken. We strongly suggest that pls not sharing your game account info with third parties and bind your account with miHoYo account via email and mobile, as it seems the login IP is different at the time your loss occur[red].”
Travis then received the following response just yesterday:
“Greetings traveler. Thank you for reaching out to us. We have discussed your issue with the op[erations] manager and delivered the specific info of your lost item. We as players ourselves feel deeply sorry for your loss as we are aware of the value of your lost item. However our op team’s final decision is that we currently are unable to restore lost items for the players. This is both out of the consideration of our op protocols and non-intervention principles of game data management. We really appreciate your support of Genshin Impact.”
“I have no idea and I asked myself that question for days,” Travis explains in relation to why their account was hacked in the first place. “Why would someone do this?” They tell me that they still play Genshin Impact now – “sadly” – but it appears that Mihoyo has completely closed their ticket and the money they have spent thus far will not be refunded.
Another user who lost €1,000 worth of items and Primogems also got in touch with me. They have requested anonymity due to the fact that they use the same handle for multiple games and websites, but were comfortable to anonymously share their experience.
“My account was hacked on the night of November 30,” they explain. “I had spent about €1,000 on the game.
“I still had about €50 worth of Primogems left on my account that I was saving up. After I was hacked, those Primogems were used up and some weapons were destroyed in order to upgrade new ones. I had my phone and email linked so the hacker could not steal my account. But they had access to it for a whole night.”
Mihoyo responded to this player with the same message – “Unfortunately, we cannot process this issue sir.” The player sent two tickets and the last answer arrived eight days later, at which point their case was closed. They explain that they were using the same email address that is attached to multiple other games, but it hasn’t been compromised in any other database. They did not visit any phishing links, and have never shared their account details online.
“I have the feeling the hacker found out my email through the forum – there was a way to find out the email with an exploit,” they tell me. “The password must not have been strong enough. I was using a combination of words and one number, but it seems you need much more complex passwords to stay safe in Genshin Impact.” As mentioned above, once the hackers get a certain amount of details, they are able to brute force the passwords due to the lack of two-factor authentication.
At the time of writing, TheGamer.com has also reached out to several other players who have reportedly not had their money refunded after being hacked as a result of Mihoyo’s poor security. As it stands, these players have been denied both refunds and replacements for the items they lost, and are all considering conducting chargebacks via their banks in order to reclaim the money that was stolen from them because of Genshin’s own lacklustre security.
Next: Genshin Impact’s Response To The Zhongli Issue Is Ignoring The Real Problem
- TheGamer Originals
- PC
- Ps5
- ps4
- Genshin Impact
- miHoYo
Cian Maher is the Lead Features Editor at TheGamer. He’s also had work published in The Guardian, The Washington Post, The Verge, Vice, Wired, and more. You can find him on Twitter @cianmaher0.
Source: Read Full Article