Bethesda's support ticket system leaked personal information
Update: Publisher assures that no user account passwords or full credit card numbers were compromised
A number of Fallout 76 players have reported across social media this afternoon that, after submitting a support ticket to Bethesda, they received access to the personal information and support tickets of dozens of other users.
In a Reddit thread posted a few hours ago, a user reported that their Bethesda account had received eight pages of support tickets, mostly consisting of receipts for the Power Armor Editions requesting a replacement canvas bag, but also consisting of other support issues. These receipts, said the user, contained emails, home addresses, and card information, and the person was able to update tickets and close them.
The Reddit post originally contained screenshotted proof of the issue that has since been removed by moderators, but the same person has reiterated the issue on Twitter with the screenshot included. The image shows an inbox of support tickets which mostly included Power Armor bag replacement requests. Though no personal information is visible in this screenshot, it does show ticket status.
The problem seems to have affected more than just one person. Another reported the issue on the Bethesda community forums, also confirming that names, addresses, receipt screenshots, and other personal info was visible from players "all over the world." Others have reported a similar problem on Twitter with screenshotted evidence as well.
Update: Bethesda has issued an official statement regarding the security breach:
"We experienced an error with our customer support website that allowed some customers to view support tickets submitted by a limited number of other customers during a brief exposure window. Upon discovery, we immediately took down the website to fix the error.
"We are still investigating this incident and will provide additional updates as we learn more. During the incident, it appears that the user name, name, contact information, and proof of purchase information provided by a limited number of customers on their support ticket requests may have been viewable by other customers accessing the customer support website for a limited time, but no full credit card numbers or passwords were disclosed. We plan to notify customers who may have been impacted.
"Bethesda takes the privacy of our customers seriously, and we sincerely apologize for this situation."
Update 2: Bethesda has issued additional information with details on those effected. Per the publisher, the data breach only affected customers who submitted tickets during an approximately 45 minute long window on December 5, 2018. The company estimates fewer than 123 tickets were submitted.
Of the submitted tickets, Bethesda says no more than 65 included personal data that may have been exposed, and that of this data, no user account passwords or full credit card numbers were included. The following data, however, may have been shared with other users:
- Name
- Username
- Contact information provided such as email, personal address, and phone number
- Proof of purchase receipts if provided
Bethesda says it is in the process of reaching out to those who may have been affected.