Niantic Labs, the company behind the sudden smash-hit game Pokémon Go, says that it never intended for the game to get full access to users’ Google accounts.
According to the company, Google says that the app has not accessed any user data beyond "basic profile information," and that Google will soon "reduce Pokémon Go’s permission" to only the limited info that it needs to access.
"We recently discovered that the Pokémon Go account creation process on iOS erroneously requests full access permission for the user’s Google account," the company said in a statement provided to Recode. "Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access."
Earlier on Monday, reports surfaced claiming that some users who downloaded the app were unknowingly handing over the keys to broad information from their Google account, including Gmail and Maps history information. The issue appears to only affect Apple iOS users, who handed over "full access" to their accounts without being told they were doing so.
Adam Reeves, the researcher who first spotted the issue, called it a "huge security risk." When Gizmodo called him up, Reeves backtracked those claims, saying that he never tested them.
Google declined to comment. You can read Niantic’s full statement below:
We recently discovered that the Pokémon GO account creation process on iOS erroneously requests full access permission for the user’s Google account. However, Pokémon GO only accesses basic Google profile information (specifically, your User ID and email address) and no other Google account information is or has been accessed or collected. Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access. Google has verified that no other information has been received or accessed by Pokémon GO or Niantic. Google will soon reduce Pokémon GO’s permission to only the basic profile data that Pokémon GO needs, and users do not need to take any actions themselves.
This article originally appeared on Recode.net.