Final Fantasy 14 patch makes an effort to combat mods that can enable harassment, but players report it's "very easy" to reverse newly hidden account IDs

Final Fantasy 14 Dawntrail
(Image credit: Square Enix)

Final Fantasy 14's latest patch was supposed to make an adjustment to the MMORPG to help combat mods that could potentially enable harassment, but players have found that developer Square Enix's efforts to do this haven't removed the issue entirely.

Previously, Final Fantasy 14 introduced what was supposed to be an improvement to its blacklist feature, allowing players to block all characters tied to an account when they block one of them.

In theory, this should have reduced the chances of players being harassed, but players discovered that, with this new feature, every player had a unique account ID, broadcasted to the game's client.

This ID is supposed to be invisible, but a mod that could access it soon surfaced – neither personal information nor payment details could be accessed this way, but needless to say, it wasn't good news for players who were now faced with the possibility of others tracking down all of their alternate characters using their account ID.

With Patch 7.2, Square Enix has outlined changes to the blacklist, noting that, "to help prevent the identification of account IDs that are not displayed in-game, relevant saved client data has been reset."

Anyone you've blacklisted will remain blacklisted, but their character names have been removed, and will only be visible if you block them again. Furthermore, fans investigating the situation found that some level of account ID obfuscation had also been put in place, but this apparently isn't enough to stop the problem at all.

"After a *lot* of testing and a group chat full of my smartest FF14 friends, we have figured out the obfuscation is vulnerable, and that the account IDs are actually reversible," one player who goes by NotNite writes on Bluesky. "[Square Enix] needs to stop sending the account ID entirely to clients and just set a hidden flag or something."

Continuing, NotNite explains that "this functionally means nothing to plugins like PlayerScope" – the mod that was previously used to identify account IDs – the only difference is "they need to work slightly harder and discover the algorithm on their own."

NotNite and their friends have reportedly already "been able to deobfuscate several account IDs (of friends with consent) with a 100% success rate," but they understandably aren't sharing the details of how it's done beyond noting that "it is very easy to do."

NotNite is calling on Square Enix to fix the flaw, and "fix it properly." They allege that "it's a security risk," and that "they should not obfuscate this information, they should completely stop sending it to the client."

Needless to say, Patch 7.2 hasn't brought the reassurance that players left feeling uncomfortable by the blacklist exploit saga were hoping for. Clearly, though, Square Enix wants to see this issue dealt with, so hopefully the developers can make another attempt to solve it for good.

Final Fantasy 14's Yoshi-P was unsure about referencing Final Fantasy 9 so heavily because it's a "masterpiece, and everyone has a strong emotional attachment to it."

Catherine Lewis
News Writer

I'm one of 12DOVE's news writers, who works alongside the rest of the news team to deliver cool gaming stories that we love. After spending more hours than I can count filling The University of Sheffield's student newspaper with Pokemon and indie game content, and picking up a degree in Journalism Studies, I started my career at GAMINGbible where I worked as a journalist for over a year and a half. I then became TechRadar Gaming's news writer, where I sourced stories and wrote about all sorts of intriguing topics. In my spare time, you're sure to find me on my Nintendo Switch or PS5 playing through story-driven RPGs like Xenoblade Chronicles and Persona 5 Royal, nuzlocking old Pokemon games, or going for a Victory Royale in Fortnite.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.