Earlier this week, the situation surrounding Fallout 76's nylon bags turned from bad to worse for publisher Bethesda. After vowing to replace people's nylon collectibles with canvas bags, fans were encouraged to file support tickets. However, a major security issue on the company's support website allowed anyone who filed a ticket to see other support tickets, including the personal data included therein.
On social media, several players in the Fallout 76 community said that they had been able to view other people's support tickets as well as their own. Since these reports began to circulate, Bethesda has come out and verified them.
In a series of statements posted to the official Bethesda Support Twitter account, Bethesda states that the window of the breach lasted for approximately 45 minutes on December 5, 2018. During this time, fewer than 123 support tickets were submitted and may have been viewed (partially or fully) by other people accessing the company's support website. Bethesda adds that no more than 65 support tickets included personal data that may have been exposed.
According to Bethesda, it has reviewed these 65 or so support tickets and has declared that no user account passwords or full credit card numbers were included or exposed. They may have included name, contact info (email, address and phone number) and proof of purchase information if these were included by the user when they filed their support ticket. Bethesda says that it is currently in the process of contacting those who have been affected by the security breach.
While some appreciate Bethesda's honesty on the matter, replies to the tweets suggest that most fans are still unhappy with the situation. In particular, some are worried about the security of their financial accounts. Although the support tickets may not have included "full credit card numbers," even partial credit card numbers could lead to trouble if accessed by fraudsters. Likewise, by piecing together information leaked in other breaches, it could leave users open to be hacked.
Some have also pointed out that data security laws around the world (including Europe's GDPR) would leave Bethesda liable for a security breach like this. PSN users filed a class-action lawsuit against Sony when it suffered a data breach, and some are wondering whether that would be possible here.
Moreover, fans are unsure of how they are going to get their canvas bags. Bethesda says that it has addressed the security error, but many fans are understandably not feeling so confident about how their data will be secured should they submit a support ticket. So, although Bethesda has apologized for the situation, it will take more than sincerity to resolve this issue.