Millions of downloads and huge stock bumps have Niantic Labs as the next big company to watch in the gaming industry; however, due to a security misconfiguration by Niantic Lab’s, they may be the ones watching you.

Pokémon Go is available for both iOS and Android, but researcher Adam Reeve was the first to note that on iOS devices the application grants itself full permission to your Google account when signing up. Such permissions allow for full read and write access to your Gmail account, access to your Google Drive documents, Maps navigation history, photos and more. Developers can often forget to use the policy of least privilege when developing, and it seems to be a case of just that. Niantic Lab’s has already issued a statement saying that they only access basic profile data. This was confirmed by Google who said that no other data has been accessed by Niantic than basic profile data.

Pokémon Go is a smash hit, but this privacy concern may just be the first of many in the coming months. Attackers will look to get a piece of the pie of any large success, and with the widespread popularity of Pokémon Go many eyes will be auditing the application. Go is somewhat of a fractal security nightmare if you look at the data the game stores. It processes transactions, stores GPS locations and has access to many of your phone’s sensitive features; essentially, every functionality that a malicious actor could want. With such a broad attack surface it may be just a matter of time before a more serious breach occurs.