Skip to main content

Google Pixel mail-in repairs have allegedly twice resulted in leaked pics and a privacy nightmare

Google Pixel mail-in repairs have allegedly twice resulted in leaked pics and a privacy nightmare

/

After investigating, Google has confidence the issue was “not related to the device RMA.”

Share this story

Illustration by Alex Castro / The Verge

After game designer and author Jane McGonigal sent her Pixel 5a to Google for repair, someone allegedly took and hacked her device. This is at least the second report in as many weeks from someone claiming they sent a Google phone in for repair, only to have it used to leak their private data and photographs. McGonigal posted a detailed account of the situation on Twitter on Saturday and advised other users not to send their phones in for repair with the company.

In October, McGonigal sent her broken phone to an official Pixel repair center in Texas. She tweeted later that Google said it never received the phone, and during the ensuing weeks, she was charged for a replacement device.

“The photos they opened were of me in bathing suits, sports bras, form-fitting dresses, and of stitches after surgery”

But according to McGonigal, FedEx tracking information shows the device arrived at the facility weeks ago. Late Friday night — a few hours after she says she finally received a refund for the device — someone seems to have used the “missing” phone to clear two-factor authentication checks and log in to several of her accounts, including her Dropbox, Gmail, and Google Drive.

The activity triggered several email security alerts to McGonigal’s backup accounts. However, she speculates that whoever has the phone may have used it to access her backup email addresses and then dumped any security alerts into her spam folder.

“The photos they opened were of me in bathing suits, sports bras, form-fitting dresses, and of stitches after surgery,” McGonigal writes. “They deleted Google security notifications in my backup email accounts.”

Google spokesperson Alex Moriconi initially told The Verge that the company is investigating the issue, but now it appears that the investigation has concluded. “After a thorough investigation, we can say with confidence that the issue impacting the user was not related to the device RMA [Return Merchandise Authorization],” Moriconi said. “We have worked closely with the user to better understand what occurred and how best to secure the account going forward.”

Google’s official repair instructions recommend backing up and then erasing a device before sending it in. Still, as Jane McGonigal points out, that’s either hard or impossible, depending on the damage. It’s still unclear whether the device might have been intercepted within the repair facility or while it was in transit, or who has it now. “Based on my conversations with Google Security, I don’t think FedEx is an issue with what happened to my account,” McGonigal told The Verge.

Just two days after McGonigal’s complaint, it looks like she received some assistance from Google. “Pixel Support and Google Security have been extremely helpful today I am happy to report,” she tweeted. McGonigal also notes that in response to her case, Google may start providing additional instructions for users with broken devices who are unable to perform a factory reset.

The whole situation reminds us of the security concerns whenever we hand over our devices for repair, and unfortunately, such activity has precedent. In June, Apple paid millions to a woman after repair technicians posted her nude photos to Facebook. Apple recently said it would start selling DIY repair kits, giving users the chance to fix their own phones, or at least have the task done by someone that a user trusts, as opposed to sending it in or dropping it off at an Apple Store.

For Pixel phones, your options for official service are either via mail-in or, in some countries, local service through an authorized provider. In the US, Google partners with uBreakiFix franchises. Whatever phone you have, the options for repairs are still somewhat limited, and you end up having to trust that no one with bad intentions will get their hands on your phone while it’s out of your possession.

Update December 14th, 2:00PM ET: Updated to add an additional statement from McGonigal about her conversation with Google Security.

Update December 7th, 6:20PM ET: Updated to add a statement from a Google spokesperson regarding an update in the company’s investigation. Also added a December 6th tweet from McGonigal, as well as some extra context about that tweet.

Today’s Storystream

Feed refreshed Two hours ago Not just you

E
Twitter
Emma RothTwo hours ago
Rihanna’s headlining the Super Bowl Halftime Show.

Apple Music’s set to sponsor the Halftime Show next February, and it’s starting out strong with a performance from Rihanna. I honestly can’t remember which company sponsored the Halftime Show before Pepsi, so it’ll be nice to see how Apple handles the show for Super Bowl LVII.


E
Twitter
Emma Roth8:01 PM UTC
Starlink is growing.

The Elon Musk-owned satellite internet service, which covers all seven continents including Antarctica, has now made over 1 million user terminals. Musk has big plans for the service, which he hopes to expand to cruise ships, planes, and even school buses.

Musk recently said he’ll sidestep sanctions to activate the service in Iran, where the government put restrictions on communications due to mass protests. He followed through on his promise to bring Starlink to Ukraine at the start of Russia’s invasion, so we’ll have to wait and see if he manages to bring the service to Iran as well.


E
External Link
Emma Roth5:52 PM UTC
We might not get another Apple event this year.

While Apple was initially expected to hold an event to launch its rumored M2-equipped Macs and iPads in October, Bloomberg’s Mark Gurman predicts Apple will announce its new devices in a series of press releases, website updates, and media briefings instead.

I know that it probably takes a lot of work to put these polished events together, but if Apple does pass on it this year, I will kind of miss vibing to the livestream’s music and seeing all the new products get presented.


E
External Link
Emma RothSep 24
California Governor Gavin Newsom vetoes the state’s “BitLicense” law.

The bill, called the Digital Financial Assets Law, would establish a regulatory framework for companies that transact with cryptocurrency in the state, similar to New York’s BitLicense system. In a statement, Newsom says it’s “premature to lock a licensing structure” and that implementing such a program is a “costly undertaking:”

A more flexible approach is needed to ensure regulatory oversight can keep up with rapidly evolving technology and use cases, and is tailored with the proper tools to address trends and mitigate consumer harm.


Welcome to the new Verge

Revolutionizing the media with blog posts

Nilay PatelSep 13
A
Youtube
Andrew WebsterSep 24
Look at this Thing.

At its Tudum event today, Netflix showed off a new clip from the Tim Burton series Wednesday, which focused on a very important character: the sentient hand known as Thing. The full series starts streaming on November 23rd.


A
The Verge
Andrew WebsterSep 24
Get ready for some Netflix news.

At 1PM ET today Netflix is streaming its second annual Tudum event, where you can expect to hear news about and see trailers from its biggest franchises, including The Witcher and Bridgerton. I’ll be covering the event live alongside my colleague Charles Pulliam-Moore, and you can also watch along at the link below. There will be lots of expected names during the stream, but I have my fingers crossed for a new season of Hemlock Grove.


T
Twitter
Tom WarrenSep 23
Has the Windows 11 2022 Update made your gaming PC stutter?

Nvidia GPU owners have been complaining of stuttering and poor frame rates with the latest Windows 11 update, but thankfully there’s a fix. Nvidia has identified an issue with its GeForce Experience overlay and the Windows 11 2022 Update (22H2). A fix is available in beta from Nvidia’s website.