After game designer and author Jane McGonigal sent her Pixel 5a to Google for repair, someone allegedly took and hacked her device. This is at least the second report in as many weeks from someone claiming they sent a Google phone in for repair, only to have it used to leak their private data and photographs. McGonigal posted a detailed account of the situation on Twitter on Saturday and advised other users not to send their phones in for repair with the company.
Yeah, don’t send your Google phone in for warranty repair/replacement. As has happened with others, last night someone used it to log into my gmail, Drive, photos backup email account, dropbox, and I can see from activity logs they opened a bunch of selfies hoping to find nudes
— Jane McGonigal (@avantgame) December 4, 2021
In October, McGonigal sent her broken phone to an official Pixel repair center in Texas. She tweeted later that Google said it never received the phone, and during the ensuing weeks, she was charged for a replacement device.
But according to McGonigal, FedEx tracking information shows the device arrived at the facility weeks ago. Late Friday night — a few hours after she says she finally received a refund for the device — someone seems to have used the “missing” phone to clear two-factor authentication checks and log in to several of her accounts, including her Dropbox, Gmail, and Google Drive.
The activity triggered several email security alerts to McGonigal’s backup accounts. However, she speculates that whoever has the phone may have used it to access her backup email addresses and then dumped any security alerts into her spam folder.
“The photos they opened were of me in bathing suits, sports bras, form-fitting dresses, and of stitches after surgery,” McGonigal writes. “They deleted Google security notifications in my backup email accounts.”
In a statement emailed to The Verge, Google spokesperson Alex Moriconi says, “We are investigating this claim.” It’s still unclear whether the device might have been intercepted within the repair facility or while it was in transit, or who has it now. Google’s official repair instructions recommend backing up and then erasing a device before sending it in. Still, as Jane McGonigal points out, that’s either hard or impossible, depending on the damage.
The whole situation reminds us of the security concerns whenever we hand over our devices for repair, and unfortunately, such activity has precedent. In June, Apple paid millions to a woman after repair technicians posted her nude photos to Facebook. Apple recently said it would start selling DIY repair kits, giving users the chance to fix their own phones, or at least have the task done by someone that a user trusts, as opposed to sending it in or dropping it off at an Apple Store.
For Pixel phones, your options for official service are either via mail-in or, in some countries, local service through an authorized provider. In the US, Google partners with uBreakiFix franchises. Whatever phone you have, the options for repairs are still somewhat limited, and you end up having to trust that no one with bad intentions will get their hands on your phone while it’s out of your possession.
https://www.theverge.com/2021/12/4/22817758/broken-google-pixel-phone-privacy-leak