Pokémon Go Has Access To Your Entire Google Account

While Pokémon GO users (there are millions and millions of them already) are collecting all 150 of the game’s fictional species of creatures, Niantic and Nintendo are gaining access to and collecting a lot of your personal information.

It’s not just the ability to track your location, or the fact that the app is linked with your Google account that’s worrisome; most users accepted a level of invasive monitoring willingly, given the game is about GPS-based hunting.

But the app gives away way more than that to the company. Way more.

Anyone who signed up for Pokémon Go with a Google account (the other option, a Pokémon.com account, is unavailable right now) has perhaps unknowingly given Nintendo and developer Niantic (formerly owned by Google, but still part of Google’s investment portfolio) full account access. The issue was first publicized widely by programmer Adam Reeve on his personal Tumblr.

Theoretically, this permissions could allow Niantic and Nintendo’s subsidiary The Pokémon Company to see/edit/collect just about anything related to your Google account. Emails, photos, documents, all of your past location and search history: it can see all of this stuff, from even before you started using the app. It can also send emails as you—kind of the number one, red flag, alarm bell hacker opportunity in the digital world, aside from banking.

It’s a potentially disastrous security risk: just one hack or leak of user information would mean compromises in Google information for a group of people about as large as the number of active daily users for Twitter on Android.

Even if the data isn’t hacked, these two companies are already getting access to (and the ability to edit) your info—pictures, emails, documents—basically everything they could ever want, except a few key abilities like using Google Wallet, changing your password, or deleting your account).

Whether they’re using those abilities or not is an entirely separate matter, but unless Niantic wants to help you build spreadsheets to keep track of your Pokémon, and email your friends to brag about it, this is completely unwarranted access.

However, developer Niantic clarified to Business Insider that Pokémon Go requesting this kind of broad access to players’ Google accounts wasn’t intentional, and added it was never used to look at players’ account information, other than their email address (not emails themselves) and user ID. The company further explained the issue was a bug on the iOS version of Pokémon Go, and said it will be fixed in an upcoming update.

The controversy was probably not going to stop anyone from playing (maybe it should though, until the company rolls back its access requirements), but it should at least make you keep it all in mind (or consider setting up a second account for safety sake).

Anyway, back to hunting. Sorry for the interruption.

Update: this story was updated after publication to include information about Niantic’s statement.