Google Pixel 5 in Sorta Sage color on a white desk after phone with the box and in the hands of the customer. November 11, 2020. Manhattan, NY USA.
in ,

Google Pixel phone owner has data breached after mailing in device for repair

When you send in your phone for a repair, you don’t expect to have your intimate photos and other details leaked. However, that is precisely what happened to Jane McGonigal. The game designer/author has sent her Pixel 5a to Google for a repair, and an individual was able to gain access to her device.

Due to her ordeal, she is advising people not to make the mistake of sending their devices to Google for repair or replacement. She posted the warning on Twitter:

“Yeah, don’t send your Google phone in for warranty repair/replacement. As has happened with others, last night someone used it to log into my gmail, Drive, photos backup email account, dropbox, and I can see from activity logs they opened a bunch of selfies hoping to find nudes.”

Here is what transpired between McGonigal and Google regarding her phone: she sent her damaged device to the Pixel repair facility in Texas through FedEx in October. However, Google claimed the phone never got to them. McGonigal was then made to pay for a replacement.

Meanwhile, FedEx showed the phone as it got to the facility several weeks back, and that was where the whole drama began. McGonigal eventually got a refund for the device. Still, a few hours after getting a notification of the repayment, somebody began to use the phone to pass through two-factor authentication checks!

The intruder eventually logged into the Dropbox, Gmail, and Google Drive accounts.

Trying to cover their tracks, the intruder, according to McGonigal’s theory, moved all the email security alerts the breach triggered to her backup account’s spam folder. Apparently, her backup email account was on the same phone.

McGonigal explains the intruder went through photos of her in bathing suits, sports bras, form-fitting dresses, and after-surgery stitches.

Google responded to The Verge’s inquiry that they were looking into the incident. It couldn’t say exactly in whose hand the device was or whether it was intercepted inside the repair center or before it got there.

People sending in their devices for repair or replacement are advised to wipe their phones clean of any data after performing backups. However, that is not always possible to do, depending on the type or degree of damage the device has suffered, a point McGonigal mentioned.

Google allows Pixel owners to mail in their devices for repairs or use an authorized local repair service provider. uBreakFix has franchise operators that partner with Google to repair phones in the US.

Other phone makers face similar problems securing user data when faulty devices are sent in for repairs. Apple, for example, coughed up millions when its repair technicians posted a customer’s nude photos to Facebook.

However, Apple customers won’t always have to send in their devices for repairs. The company has announced it will begin offering DIY repair kits that will allow Apple device owners to repair their properties., which will reduce incidences of data leaks by rogue repair technicians. However, only those with the technical know-how would benefit from this move.

McGonigal is open to a class-action lawsuit against Google.

“Yeah, don’t send your Google phone in for warranty repair/replacement. As has happened with others, last night someone used it to log into my gmail, Drive, photos backup email account, dropbox, and I can see from activity logs they opened a bunch of selfies hoping to find nudes

“The photos they opened were of me in bathing suits, sports bras, form-fitting dresses, and of stitches after surgery. They deleted Google security notifications in my backup email accounts.

“If someone is interested in starting a class action lawsuit against Google for this, feel free to contact me.

“This happened even though I tried to erase the phone and lock the phone from Google’s find my phone service.

“The hacker changed my gmail settings to mark all security messages from Google as spam, so when I checked my spam folder that’s where all the security alerts went while they were hacking me

“also to be clear I have been on Google support and Pixel support dozens of time all week BEFORE the hack happened, asking them to investigate why my phone marked delivered by FedEx ‘disappeared’ at the warehouse. At any time someone could have offered me any security advice?!

“a consumer can’t factory reset a phone that won’t turn on. I took every other recommended step to secure it including Lock my Phone and Erase my Phone via Google’s FindMyPhone service. It did not work.”

Written by HackerVibes

Clearview AI set to receive a patent on its controversial facial recognition software

Former US President’s social media network gets a CEO