The risk from attack comes from how the Google account linkage works. With a locally managed account system, like the Trainer Club, an account database contains a mix of unencrypted entries for elements like a user’s account name and email address, and encrypted entries for passwords. With good cryptographic system design, even should an attacker obtain an entire database, the passwords can’t be extracted, even with enormous effort. (Weak systems allow brute-force attacks.)
However, apps and sites that use accounts for authentication run by other sites—like Google, Twitter, and Facebook—don’t store a password, encrypted or otherwise, for that third-party site. Rather, after a user logs into the third-party site and the account is verified, a developer receives a token, just a short piece of unique text, that’s stored and used to handle interaction.
An attacker need only obtain that token to make use of the linked account, whether posting messages on Twitter or reading email on Google.
As Reeve notes, access to email alone can be the thin edge of a wedge to hijack someone’s identity and accounts at multiple sites. Many people use Gmail as their primary or secondary email address, and so other sites would send password-recovery emails to that Gmail account. An attacker with email addresses and tokens could try to reset passwords at popular sites at which it’s likely Pokémon Go users had accounts, and then take over those related accounts.
A spokesperson for Niantic, the game’s developer, said the company has no comment on the matter at this time. We’ve also contacted Google and will update this story when new information arises. (Niantic was once owned by Google, and was spun off as a freestanding company in October 2015 with investment from Google, the Pokémon Company, and Nintendo, which owns a third of the Pokémon Company.
Niantic’s complete statement:
Update: This story was updated with a response from Niantic and with instructions to revoke Google account access.
Sign up for CIO Asia eNewsletters.