To be precise, for the 'old' version of the app (My BMW Remote App) for non-i models we started off with this black box library (CD lib) which handled all the communication with the BMW servers.
While I didn't do any protocol analysis or looked at the communication between car and servers, even for this iOS app it was pretty clear to me and my colleagues what the security implications would be if someone were to be able to obtain log-in data just for that part of the communication.
Depending on the market (America, Europe, Japan, etc.) there are some limitations to what one can do with the app (based on the type of account, IIRC), such as from what range one can see where the car is on a map and whether one can unlock doors with the app or not (not allowed in the US market, from what I recall). Where these limitations are enforced I'm not sure. It might be based on the server, in which case this hack would bypass such limitations as well.
At any rate, this security leak does demonstrate quite succinctly how important it is to properly security audit such systems before releasing it into the wild. Even for the current project I do for BMW (related to the headunits), having an active internet connection means that security is essential, including plugging buffer overruns and similar.
Nobody wants to have one's headunit go blank during navigation, in a constant reset cycle or be turned into a spying device, after all
Note that I'm still under NDA for all of these projects, so I can't go into much detail.