After game designer and author Jane McGonigal sent her Pixel 5a to Google for repair, someone allegedly took and hacked her device. This is at least the second report in as many weeks from someone claiming they sent a Google phone in for repair, only to have it used to leak their private data and photographs. McGonigal posted a detailed account of the situation on Twitter on Saturday and advised other users not to send their phones in for repair with the company.
In October, McGonigal sent her broken phone to an official Pixel repair center in Texas. She tweeted later that Google said it never received the phone, and during the ensuing weeks, she was charged for a replacement device.
“The photos they opened were of me in bathing suits, sports bras, form-fitting dresses, and of stitches after surgery”
But according to McGonigal, FedEx tracking information shows the device arrived at the facility weeks ago. Late Friday night — a few hours after she says she finally received a refund for the device — someone seems to have used the “missing” phone to clear two-factor authentication checks and log in to several of her accounts, including her Dropbox, Gmail, and Google Drive.
The activity triggered several email security alerts to McGonigal’s backup accounts. However, she speculates that whoever has the phone may have used it to access her backup email addresses and then dumped any security alerts into her spam folder.
“The photos they opened were of me in bathing suits, sports bras, form-fitting dresses, and of stitches after surgery,” McGonigal writes. “They deleted Google security notifications in my backup email accounts.”
Google spokesperson Alex Moriconi initially told The Verge that the company is investigating the issue, but now it appears that the investigation has concluded. “After a thorough investigation, we can say with confidence that the issue impacting the user was not related to the device RMA [Return Merchandise Authorization],” Moriconi said. “We have worked closely with the user to better understand what occurred and how best to secure the account going forward.”
Google’s official repair instructions recommend backing up and then erasing a device before sending it in. Still, as Jane McGonigal points out, that’s either hard or impossible, depending on the damage. It’s still unclear whether the device might have been intercepted within the repair facility or while it was in transit, or who has it now. “Based on my conversations with Google Security, I don’t think FedEx is an issue with what happened to my account,” McGonigal told The Verge.
Just two days after McGonigal’s complaint, it looks like she received some assistance from Google. “Pixel Support and Google Security have been extremely helpful today I am happy to report,” she tweeted. McGonigal also notes that in response to her case, Google may start providing additional instructions for users with broken devices who are unable to perform a factory reset.
The whole situation reminds us of the security concerns whenever we hand over our devices for repair, and unfortunately, such activity has precedent. In June, Apple paid millions to a woman after repair technicians posted her nude photos to Facebook. Apple recently said it would start selling DIY repair kits, giving users the chance to fix their own phones, or at least have the task done by someone that a user trusts, as opposed to sending it in or dropping it off at an Apple Store.
For Pixel phones, your options for official service are either via mail-in or, in some countries, local service through an authorized provider. In the US, Google partners with uBreakiFix franchises. Whatever phone you have, the options for repairs are still somewhat limited, and you end up having to trust that no one with bad intentions will get their hands on your phone while it’s out of your possession.
Update December 14th, 2:00PM ET: Updated to add an additional statement from McGonigal about her conversation with Google Security.
Update December 7th, 6:20PM ET: Updated to add a statement from a Google spokesperson regarding an update in the company’s investigation. Also added a December 6th tweet from McGonigal, as well as some extra context about that tweet.