Watch out: if you’re using your Google Account to sign into Pokémon Go on iOS, you may have allowed the developers at Niantic to have access to your e-mail, documents, and anything else attached to that account.
Unlike other applications that link to Google, which typically ask for your basic account info, Pokémon Go gets full access to your entire account (h/t all the Kotaku readers who tipped us about this).
The app gives no warning and does not request this access—it just takes, like a Pokémon trainer in the wild.
There’s no indication that Niantic has done anything with this data, and it could very well be an oversight, but it’s nonetheless scary for anyone concerned with privacy. You can check what permissions your Google account is granting right here.
Pokémon Go players can also sign up accounts through the Pokémon website. Be warned, however: if you try to switch from a Google account to a Pokemon.com account, you will lose your progress.
When reached by Kotaku, a representative for Niantic declined to comment.
Update - 10:07pm: Niantic says it was a mistake that will be fixed soon. Here’s their statement to press:
We recently discovered that the Pokémon GO account creation process on iOS erroneously requests full access permission for the user’s Google account. However, Pokémon GO only accesses basic Google profile information (specifically, your User ID and email address) and no other Google account information is or has been accessed or collected. Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access. Google has verified that no other information has been received or accessed by Pokémon GO or Niantic. Google will soon reduce Pokémon GO’s permission to only the basic profile data that Pokémon GO needs, and users do not need to take any actions themselves.
Update - 9:48pm: Our colleagues at Gizmodo also looked into claims about this. No conclusive answers yet, but they cite a cybersecurity expert who is unsure if the current permissions will really allow Google full access to your e-mails.