UPDATE 07/12/16: Pokémon Go has now been updated to a fresh 1.0.1. version, with Niantic Labs promising the Verge that a "less intrusive grip" on Google account permissions is now in place. Celebrate accordingly.
See original story below.
The security risk was first pointed out by Adam Reeve, who works for RedOwl, a security analytics platform. Reeve not only revealed that Pokémon Go is gaining full account access, but also detailed what that means for users whom logged into the app with Google accounts.
The issue arises because users need accounts to play and can only log in with accounts from pokemon.com or Google. Reeve and ZDNet reported the Pokemon website wasn't allowing for new registrations, so people feigning to catch 'em all were left with no choice but to log in with Google accounts.
According to Reeve, a message detailing the kind of access he was granting the Pokémon Go application didn't come up after he logged in. He was only able to see the app had full account access when he checked on his Google account.
As the Google help page states full account access means: "When you grant full account access, the application can see and modify nearly all information in your Google Account (but it can't change your password, delete your account, or pay with Google Wallet on your behalf)."
Reeve wrote that the app would be able to read your email, in addition to sending emails from your account, and having access to Google drive documents and Google Photos. The app could also gain users' search and maps history.
Google advises users should only allow "full account access" to trustworthy applications that are "installed on your personal computer, phone, or tablet."
"Now, I obviously don't think Niantic are planning some global personal information heist. This is probably just the result of epic carelessness," Reeves wrote before saying he deleted the app after revoking access to his account.
Niantic, the company behind Pokémon Go, told Complex in a statement over email:
If you still want to revoke the game's access to your Google account by signing in and opening the Apps connected to your account page explained ZDNet. Next, search for the application's name (Pokémon Go) and click 'Remove Access' and then confirm by clicking 'OK.'
Android Pokémon trainers can breathe a sigh of relief, as Reeve said this only seems to be an iOS issue, though Reeve said not everyone on iOS has been affected.