Bethesda’s latest video game, Fallout 76, launched last month with its share of uneven reviews and responses (including our own), and chief among players’ complaints is that the always-online game is quite buggy.
But to borrow a term that Bethesda itself used to describe the game’s pre-release beta period, Fallout 76 is facing a new “spectacular issue,” albeit one that’s technically outside of the game client. Instead, the issue comes from the game’s equally troubled $200 Power Armor edition: buyers of the Power Armor edition who went to Bethesda’s site to resolve the issue were seeing their personally identifying data (PID) leaked to everybody else who was trying to resolve the issue.
This requires backing up for context. Fallout 76 could be pre-ordered in a pricey Power Armor set, complete with a wearable replica helmet and a tote bag. As I pointed out in a November unboxing article, that bag turned out to be “a cheap, flimsy carrying case,” but what I didn’t realize at the time was that Bethesda had originally advertised a higher-quality canvas bag as part of the $200 set.
Once orders for the set began shipping to players, their outcry prompted Bethesda to respond with a token of apology: a $5 voucher for Fallout 76‘s in-game cosmetics store. Fans took umbrage with the token by pointing out a hilarious irony: that amount of credit couldn’t even buy a virtual canvas bag within the game in question.
Power armor, meet power error
Bethesda soon followed this with a seemingly more-fitting offer: an actual canvas bag, just like the publisher had originally promised. This required logging onto Bethesda’s help-ticket system and submitting a few things for replacement-bag processing: a picture serving as proof of purchase, complete with hand-written name, Bethesda.net username, and receipt, along with a shipping address and phone number.
On Tuesday, however, user reports began circulating with an ominous allegation: that anyone who filed a support ticket at Bethesda’s site was receiving a lot of replies to their threads. As in, every ticket going through the system.
From Bethesda’s own forums:
I went on the support website today to update a ticket of mine, and surprisingly (or not…) I ended up being able to see all sorts of tickets, with people putting their personal information in them, like receipt screenshots, names, addresses, and so on. I’m assuming this is a bug in the website, because I don’t see for what reason Bethesda would make tickets public.
I’m not going to paste screenshots of what I have access to for the privacy of people, but I can see receipts of people from all over the world, and if I can, other people probably can, too.
It seems like the code of the website sucks as much as the one of the game.
Shortly after this post went live, the thread was updated by a moderator to indicate that it would be locked, but users were still able to reply to the thread. That “thread locked” notice went away shortly afterward, with an indication that the data-leak issue had been resolved. I was unable to file a ticket to attempt to replicate the issue, however, as the ticket-submission page was still missing its “submit” button as of press time.
Other Reddit users added their own allegations of the same issue, with one public screenshot showing multiple, confused replies to the same support-ticket thread. This public screenshot includes no personally identifying data; screenshots with other users’ addresses and photos have since been taken down from Reddit and Bethesda threads, while GamesIndustry.biz tracked down the first public image of the bug’s effects, posted by a Twitter user.
Update, 11:12 p.m.: In a statement provided to Ars Technica, Bethesda confirmed that users’ PID was exposed to fellow customer service users without their knowledge or consent via “an error with our customer support website.” According to the statement, Bethesda is “still investigating the incident and will provide additional updates as we learn more.” The statement emphasized what kinds of data had been exposed: namely, the specific details that the bag-replacement support site requests, not “full credit card numbers or passwords.”
The company says it will notify any customers whose messages and photos may have been inadvertently shared. “Bethesda takes the privacy of our customers seriously, and we sincerely apologize for this situation,” the statement concludes.