Earlier this month🅺, we repo🉐rted that Mihoyo quietly fixed an issue that caused Genshin Impact players’ email address to be made pub🐬licly available. This, combined with the fact that the game currently lacks two-factor authentication, means that it was relatively easy for people online to brute force the pa⛄sswords of players all over the world. As a result, dozens of people have reported losses ranging from several hundred to several thousands of dollars - all of which the developer currently refuses to refund.
After publis🅺hing our o⛦riginal report, we spoke to affected players about their loss. At present, the Genshin Impact subreddit suppresses the vast majority of posts pertaining to hacked accounts, with an official mod stating that they have already received “too many of these posts.”
Because of this, a new subreddit called has since been set up. As of December 7, the subreddit had 125 memb👍ers, with over 50 of them reportin♛g experiences of being hacked. The group has since expanded to include almost 400 people, all of whom have lost items they spent real money on to hackers who were able to obtain their account information through no fault of their own.
“There's info about the length of time people wait and I also have a full email chain with Mih♋oyo te♛lling me it won't do anything for players who have spent hundreds of dollars on the game,” subreddit creator Kaiurai tells me.
The email chain shows Kaiurai’s attempts to inform Genshin support of the issue, and also displays Mihoyo’s evident disinterest in rectifying the situation - despite the fact that it’s a direct result of its own dam👍ning lapses in security.
In the above email, Mihoyo claims that it can't help and that it is up to the player to maintain t🍸he confidentiality of their own account details. However, it is important to reiterate that this player did not provide these details to anybody. Because Mihoyo’s login system allowed people online to access both the phone numbers and email addresses of pla🍸yers, and did not offer a two-factor authentication option, this could theoretically happen to anyone who plays the game.
Af🌸ter two follow-ups over nine days, Mihoyo eventually🐽 responded to Kaiurai.
As you can see, the developer is ignoring the issue - that accounts with hundreds, if not thousands of dollars attached to them are being 𝓡stolen - and ﷽assuming that the fault lies with players, which is not the case given the easily exploitable security measures in place.
The rest of the email thread goes back and forth on the issue with the same bureaucratic, beat-aroun𓄧d-the-bush replies as Mihoyo continues to deny accountability all the while. When Kaiurai asked if they could have their weapons back, Mihoyo said it wasn’t possible, despite the fact that a gift system in which players - including individual players - can receive specific items via their in-game inbox, as proven by the birthday cake people get once a year. Mihoyo also said Kaiurai co𝓀uld have used the weapon lock mechanic to prevent themselves from accidentally using a 5-star weapon to upgrade a weak one, but because this was the work of a hacker, that security measure accomplishes literally nothing - they can just uncheck the box.
After claiming that it couldn’t help a🌟gain, Mihoyo said:
”Thank you for takin🌺g the time to contact us. We all do appreciate your support as alꦇways. Extremely sorry for what happened, but as in our Terms of service we sent to you before, ‘You are responsible for maintaining the confidentiality of your Account information and if any third-parties use your Account or otherwise access to your Account, you may not claim compensation from miHoYo.’ Hope you understand this matter, we ap🔯ologize for the inconvenience. ༼☯﹏☯༽”
This issue has happened to potentially hundreds of people over the last few months. Although the Genshin Impact subreddit usually su🐎ppresses posts pertaining to hacking, one post was simply too damning to ignore, as it included because the person who hacked their account had since topped it up.
“Hꩵowever, from the time your account is taken by s🐭omeone there are many top-up(s),” the message from Mihoyo support reads. “And this is [a] dispute account situation, so we couldn’t help in this situation.”
The poster went on to share their with Mihoyo, during ൲which the developer said that the information they provided was inconsistent - despite previously acknowle꧋dging that the account had been hacked - and closed the ticket without allowing the player to submit any further inquiries.
Kaiurai sent us a list of all of the items they lost as a result of the hack, which, when put in perspective, accounted for two battle passes - 12 weeks of play and £22 -🐻 as well as over £500 worth of Primogems.
“The 5-star weapons were all on the standard banner, so that's 90 wishes for each of those,” they 💖explain. “[That’s] 270 wishes. Each wish costs 160 primogems so that's 43,200. For the crafted ones, there's three chances to get a drop every week and they very rarely drop, so we can assume there's one every two weeks at most. Basically, it's £550 to get the stuff I lost back.” As Kaiurai says above, there’s also a massive time investment required to get back to where they were.
As for why the hacks occurreꦉd, Kaiurai can only think of two possibilities.
“They were a moron and didn't know how to unlink my phone and email so they could change my password,” they explain. “I assumed i⛦t was because I had both linked they couldn't change it, but it's been proved that even with both linked, you used to be able to remove them without any email or phone trigger.” The other possibility is that someone might have had it out for Kaiurai, who is a small streamer, although they doubt this.
“I feel like if someone is actually out to get me it's a weird way of going about it,” they say. “If it was targeted, they had my email. Why my Genshin account when presumably they could've tried, well... anything else of real value? I think i🥀t's a hacker that wanted to steal it but couldn't. Decided if he couldn't have my stuff I couldn't either.”
Kaiurai directe🌄d me to another player, TrꦦavisC98, who . When I reached out to Travis, they explained that they’ve spent somewhere between $1,500 and $2,000 on Genshin Impact, all of which has now been flushed down the drain. Like Kaiurai, 💮they put the hacker’s actions down to a failed ꦺattempt at theft.
“They likely couldn't steal my account (at least that's what I assume), and used my 5-star weapons and a large portion of my 5-star artifacts as materials to level up lower rarity weapons and artifacts,” Travis tells me. They filed a report for the thousands of dollars they lost on November 26, which was met with the following rꦿesponse from Mihoyo on December 3:
“Greetings traveleꦦr, we have received your feedback and we are deeply sorry for your loss. Currently we do not have [a] data rewinding𒉰 service. However since the value of your loss is significant we will keep your ticket on record and help you if in the future once we have [a] data rewinding function. We will submit your issue to see if further measure🔯s could be taken. We strongly suggest that pls not sharing your game account info with third parties and bind your account with miHoYo account via email and mobile, as it seems the login IP is different at the time your loss occur[red].”
Travis then received the followin🐲g response just yesterday:
“Greetings traveler. Thank you for reaching out to us. We havꦏe discussed your issue with the op[erations] manager and delivered the specific info of your lost item. We as players ourselves feel deeply sorry for your loss as we are aware of the val꧅ue of your lost item. However our op team's final decision is that we currently are unable to restore lost items for the players. This is both out of the consideration of our op protocols and non-intervention principles of game data management. We really appreciate your support of Genshin Impact.”
“I have no idea and I asked myself that question for days,” 💞Travis explains in relation to why their account was hacked in the first place. “Why would someone do this?” They tell me that they still play Genshin Impact now - “sadly” - but it appears that Mihoyo has completely closed their ticket and the money they have spent thus far will n✱ot be refunded.
Another user who lost €1,000 worth of items and Primogems also got in touch with me. They have requested anonymity due to the fact that they use the same handle for multiple games and websites, but were co♌mfortable to anonymously share their ꦐexperience.
"My account ꦫwas hacked on the night of November 30," they expla⛎in. "I had spent about €1,000 on the game.
"I still had about €50 worღth of Primogems left on my account that I was saving up. After I was hacked, those Primogems were used up and some weapons were destroyed in order to upgrade new ones. I had my phone and email linked so the hacker could not steal my account. But they had access to it for a whole night."
Mihoyo responded to this player with the same message - "Un🍸fortunately, we cannot process this issue sir." The player sent two tickets and the last answer arrived eight days later, at which point their case was closed. They explain that they were using the same email address that is attached to multiple other games, but it hasn't been compromised in any other database. They did not visit any phishing links, and have never shared their account🎉 details online.
"I have the feeling the hacker found out my email through the forum - there was a way to find out the email with an exploit," they tell me. "The password must not have been strong enough. I was using a combination of words and one number, but it seems you need much more complex passwords to stay safe in Genshin Impact." As mentioned𒁃 above, once the hackers get a certain amount of details, they are able to brute force the passwords due to the lack of two-factor authentication.
At the time of writing, nngou365.com has also reached out to several other players who have reportedly not had their money refunded after being hacked as a result of Mihoyo’s poor security. As it stands, these players have been denied both refunds and replacements for the item﷽s they lost, and are all considering conducting chargebacks via their banks in order to reclaim the money that was stolen from them because of Genshin’s own lacklustre security.