It has taken the world by storm - but may have led millions of iPhone users to inadvertently give away access to their Google account.
Experts have warned that iOS users of Pokémon Go are putting themselves at risk by signing up using Google, as the game requests access to all of their information - from email to search history.
Niantic, the maker of the game, was today forced into an embarrassing apology over the security gaffe, and admitted it was a programming mistake as it released an updated version fixing the issue.
"We recently discovered that the Pokémon GO account creation process on iOS erroneously requests full access permission for the user's Google account," the firm told Recode.
"However, Pokémon GO only accesses basic Google profile information (specifically, your User ID and email address) and no other Google account information is or has been accessed or collected.
"Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access.'
The update can be downloaded from the App Store on iPhones to fix the Google Account security concerns.
The firm is also working with Google on a fix, the company confirmed.
"Google has verified that no other information has been received or accessed by Pokémon GO or Niantic.
"Google will soon reduce Pokémon GO's permission to only the basic profile data that Pokémon GO needs, and users do not need to take any actions themselves."
Security expert Adam Reeve said he first noticed the issue signing in online.
"On a whim I went to see which permissions it was granted," he wrote.
"To say I was a little stunned is putting it lightly - it said: Pokemon Go has full access to your Google account."
Reeve believes the game, based on a game called Ingress developed by Google before being spun out into its own firm called Niantic, is not actually using these permissions for anything other than logging people in.
"I obviously don't think Niantic are planning some global personal information heist.
"This is probably just the result of epic carelessness."
However, he admitted he had deleted his account in light of the issue.
"But I don't know anything about Niantic's security policies. I don't know how well they will guard this awesome new power they've granted themselves, and frankly I don't trust them at all.
"I've revoked their access to my account, and deleted the app. I really wish I could play, it looks like great fun, but there's no way it's worth the risk."
"When you grant full account access, the application can see and modify nearly all information in your Google Account," Google says on its support page.
"This "Full account access" privilege should only be granted to applications you fully trust, and which are installed on your personal computer, phone, or tablet."
After just one day following its July 6th release, Pokémon Go had already been installed on more Android devices than Tinder, and is now threatening to overtake Twitter in number of active users.