After game designer and author Jane McGonigal sent her Pixel 5a in for repair at Google, someone allegedly took and hacked her device. This is at least the second report in as many weeks from someone claiming they sent a Google phone in for repair, only to have it used to leak their private data and photographs. She posted a detailed account of the situation on Twitter today and advised other users not to send their phones in for repair with the company.
Yeah, don’t send your Google phone in for warranty repair/replacement. As has happened with others, last night someone used it to log into my gmail, Drive, photos backup email account, dropbox, and I can see from activity logs they opened a bunch of selfies hoping to find nudes
— Jane McGonigal (@avantgame) December 4, 2021
In October, McGonigal sent her broken Pixel 5a for a repair at an official Pixel repair center in Texas. McGonigal tweeted later that Google said it never received the phone, and during the ensuing weeks, she was charged for a replacement device.
But according to McGonigal, the device’s FedEx tracking information shows it arrived at the facility weeks ago. Late last night — a few hours after she says she finally received a refund for the device — someone seems to have used the “missing” phone to clear two-factor authentication checks and log in to several of her accounts, including her Dropbox, Gmail, and Google Drive.
The activity triggered several email security alerts to McGonigal’s backup accounts. However, whoever has the phone may have used it to access her backup email addresses and then dumped any security alerts in her spam folder.
“The photos they opened were of me in bathing suits, sports bras, form-fitting dresses, and of stitches after surgery,” McGonigal writes. “They deleted Google security notifications in my backup email accounts.”
In a statement emailed to The Verge, Google spokesperson Alex Moriconi says, “We are investigating this claim.” It’s still unclear whether the device might’ve been intercepted within the repair facility or while it was in transit, or who has it now. Google’s official repair instructions recommend backing up and then erasing a device before sending it in. Still, as Jane McGonigal points out, that’s either hard or impossible, depending on the damage.
The whole situation reminds us of the security concerns whenever we blindly hand over our devices for repair, and unfortunately, such activity has a precedent. In June, Apple paid millions to a woman after repair technicians posted her nudes to Facebook. That company recently said it would start selling DIY repair kits, giving you the chance to fix your phone yourself, or at least have the task done by someone that you trust, as opposed to sending it in or dropping it off at an Apple Store.
For Pixel phones, your options for official service are either via mail-in or, in some countries, local service through an authorized provider. In the United States, Google partners with uBreakiFix franchises. Whatever you choose, there’s a level of trust needed to give up your phone, whether it’s over the counter or shipped hundreds of miles away.