The maker of the hit mobile video game Pokémon GO says its engineers are working to fix a flaw that grants the company access to all Google files and data of users who play the game on iOS devices.

Players who sign in with their Google accounts must agree to a privacy policy that allows Niantic Inc. access to users’ email, photos, videos, web page viewing data, GPS navigation histories, and all documents contained in Google Drive.

Cybersecurity concerns were heightened even further following reports that a weekend crash of the Pokémon GO servers was the result of multiple hacking attacks.

Niantic and Google, which has a stake in the game developer, said only User IDs and email addresses are being tracked, and denied accessing or collecting any of the more sensitive player data.

“Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access,” Niantec said on its website. “Google has verified that no other information has been received or accessed by Pokémon GO or Niantic.”

BYOD data concerns

The augmented reality game, in which graphics from smartphone cameras are projected in real world locations, became the biggest mobile game in U.S. history last week, with 21 million daily active users, according to a post in SurveyMonkey intelligence blog.

That staggering number is raising questions about whether some of those devices are unprotected enterprise phones or personal BYOD devices that could expose sensitive business data.

The vulnerabilities pose challenges and opportunities for managed services providers (MSPs) and managed security services providers (MSSPs).

“As an MSP, you can use apps like Pokémon GO as an example to show clients and employees the security risks involved with unprotected mobile devices and the growing need for managing these endpoints,” according to a post on Continuum’s MSPblog.

“By leveraging a mobile device management (MDM) solution, you can reduce these risks by remotely wiping an individual’s data if a device is compromised,” the post continues. “An MDM solution will also allow you to implement endpoint security policies and put restrictions on app purchases from non-validated markets.”

Several government agencies have issued advisories regarding the game. One blogger posted an unclassified memo to his Twitter feed entitled “U.S. Government operation security guidance for intelligence officers and friends playing Pokémon GO.”

“Don’t use your personal Gmail account to log in, as this not only links your personal information with your Pokémon GO activity (which includes GPS data), it could also expose your Google credentials to the app owner,” the advisory states.

Instead, players in sensitive government roles are advised to sign into the game using the alternate Pokémon Trainers Club account method or create a “throw-away” Google account just for gameplay.

Hackers target game’s maker

Niantic has offered no timetable for when the flaw might be repaired.

Though the game’s maker has vowed not to misuse the unsecured information, the Pokémon GO privacy policy also grants the company permission to sell the information it obtains from users, share it with third parties or turn it over to law enforcement.

If the personal data and other Google user files were somehow to end up in Niantic’s huge user database, the danger of a catastrophic cybersecurity breach would increase exponentially.

Over the weekend, the Pokémon GO servers suffered a major outage, which Niantic blamed on too many downloads as it expanded the game to 26 new countries.

But two separate hacker groups claimed the outage was a result of distributed denial of service (DDoS) attacks, and vowed that more were being planned in the near future.

PoodleCorp, one of the hacker organizations, said another attack would occur on Aug. 1.

The hacker group OurMine – which previously hacked the social media accounts of Mark Zuckerberg, Sundar Pichai and Jack Dorsey – sent an email to PCMag.com, saying they also attacked the Pokémon GO servers in an effort to help improve security.

“We wrote we will stop the attack if (Niantic) staff talked with us,” the web article states, citing an anonymous OurMine representative, “because we will teach them how to protect their servers.”

Send tips and news to [email protected].