Redditor TiltOnPlay posted a screen illustrating the problem:
Any email address can be entered into the “forgot password” page, after which the option to verify the account can be switched to using a linked mobile number rather than an email address—meaning that anyone can enter an address and potentially access the user’s mobile number. Aside from the obvious downsides of having your phone number exposed to the world (which, as CNet explains, can be quite serious), several users have pointed out that leaving data lying around in the open like this is also a big violation of the EU’s notoriously strict privacy laws.Many Genshin Impact players in the thread say that their numbers are being properly covered up, and both Steven and I tried it and found the same thing—we entered our email addresses into the account verification screen, and the attached numbers came up censored. Location may be a factor, although there doesn’t appear to be enough commonality to really nail it down at this point—several Indonesian players say their numbers are covered, but people from other locations in Asia and at least one in North America claim that theirs are fully exposed.
Giving the allegations some credence is the fact that this isn’t actually the first report of this problem: Redditor skydtlee posted about the same issue, also with screens, three weeks ago. That thread went largely unnoticed, though, so the problem is only coming to widespread attention now.
I’ve reached out to MiHoYo to ask about the lapse, and will update if I receive a reply. In the meantime, if you’re concerned about privacy issues, you might want to unlink your mobile number from your account, at least until the problem is fixed.