• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!

General Google Pixel mail-in repairs have allegedly twice resulted in leaked pics and a privacy nightmare

Search This thread

roirraW "edor" ehT

Recognized Contributor
https://www.theverge.com/2021/12/4/22817758/broken-google-pixel-phone-privacy-leak

Google says it’s investigating the latest report

By Emma Roth Dec 4, 2021, 7:43pm EST


After game designer and author Jane McGonigal sent her Pixel 5a to Google for repair, someone allegedly took and hacked her device. This is at least the second report in as many weeks from someone claiming they sent a Google phone in for repair, only to have it used to leak their private data and photographs. McGonigal posted a detailed account of the situation on Twitter on Saturday and advised other users not to send their phones in for repair with the company.

In October, McGonigal sent her broken phone to an official Pixel repair center in Texas. She tweeted later that Google said it never received the phone, and during the ensuing weeks, she was charged for a replacement device.

“THE PHOTOS THEY OPENED WERE OF ME IN BATHING SUITS, SPORTS BRAS, FORM-FITTING DRESSES, AND OF STITCHES AFTER SURGERY”
But according to McGonigal, FedEx tracking information shows the device arrived at the facility weeks ago. Late Friday night — a few hours after she says she finally received a refund for the device — someone seems to have used the “missing” phone to clear two-factor authentication checks and log in to several of her accounts, including her Dropbox, Gmail, and Google Drive.

The activity triggered several email security alerts to McGonigal’s backup accounts. However, she speculates that whoever has the phone may have used it to access her backup email addresses and then dumped any security alerts into her spam folder.

“The photos they opened were of me in bathing suits, sports bras, form-fitting dresses, and of stitches after surgery,” McGonigal writes. “They deleted Google security notifications in my backup email accounts.”

In a statement emailed to The Verge, Google spokesperson Alex Moriconi says, “We are investigating this claim.” It’s still unclear whether the device might have been intercepted within the repair facility or while it was in transit, or who has it now. Google’s official repair instructions recommend backing up and then erasing a device before sending it in. Still, as Jane McGonigal points out, that’s either hard or impossible, depending on the damage.

The whole situation reminds us of the security concerns whenever we hand over our devices for repair, and unfortunately, such activity has precedent. In June, Apple paid millions to a woman after repair technicians posted her nude photos to Facebook. Apple recently said it would start selling DIY repair kits, giving users the chance to fix their own phones, or at least have the task done by someone that a user trusts, as opposed to sending it in or dropping it off at an Apple Store.

For Pixel phones, your options for official service are either via mail-in or, in some countries, local service through an authorized provider. In the US, Google partners with uBreakiFix franchises. Whatever phone you have, the options for repairs are still somewhat limited, and you end up having to trust that no one with bad intentions will get their hands on your phone while it’s out of your possession.
 

96carboard

Senior Member
Jul 17, 2018
543
311
These people obviously don't have a reasonable screen lock.

Also, google should provide instructions to wipe with USB that can be followed by a normal person.
 

Alekos

Senior Member
These people obviously don't have a reasonable screen lock.

Also, google should provide instructions to wipe with USB that can be followed by a normal person.
for the most part, these people have no lock or biometrics on. and their screen is dead (so they think the phone is dead). but I agree, they should develop a tool but it wouldn't be easy. Have you tried running commands or whatever with a blank screen? its very difficult. but you're right, a tool that either locks or wipes the device would be awesome, no commands or messy fastboot menus for the user would help a ton.
 

pcriz

Senior Member
Aug 23, 2008
5,060
3,011
Google Pixel 6 Pro
for the most part, these people have no lock or biometrics on. and their screen is dead (so they think the phone is dead). but I agree, they should develop a tool but it wouldn't be easy. Have you tried running commands or whatever with a blank screen? its very difficult. but you're right, a tool that either locks or wipes the device would be awesome, no commands or messy fastboot menus for the user would help a ton.
The lady that sent it in said she did have a screen lock and took every precaution she was instructed to take since she couldn't power on her device.
 

Alekos

Senior Member
The lady that sent it in said she did have a screen lock and took every precaution she was instructed to take since she couldn't power on her device.
yup. I just read the article. the guy on reddit who posted a few days ago admitted there was no lock on the screen. so who knows. they could have had an easy unlock code (1234, 1111) which is the same as having no unlock code pretty much. but yeah it'll be interesting to find out the truth.
 

pcriz

Senior Member
Aug 23, 2008
5,060
3,011
Google Pixel 6 Pro
yup. I just read the article. the guy on reddit who posted a few days ago admitted there was no lock on the screen. so who knows. they could have had an easy unlock code (1234, 1111) which is the same as having no unlock code pretty much. but yeah it'll be interesting to find out the truth.
Still though. If it's true, the service provider is in the wrong either way. Locked or unlocked. Easy or hard.
 

Alekos

Senior Member
Still though. If it's true, the service provider is in the wrong either way. Locked or unlocked. Easy or hard.
yes. 100%. my comment makes it seem like it was the user's fault. this is 100% the blame of the repair agents/shipping/ whoever accessed the phone. this should never happen. but all we can do is minimize the likelihood
 
  • Like
Reactions: pcriz

Morgrain

Senior Member
Aug 4, 2015
750
748
Lesson learned don't take nudes lol
Most people don't want to hear this, but it's still an universal truth - if you don't want nudes to leaks, don't take any (at least not with a smart device/cloud capable phone). If you really need to have nudes of yourself, take a polaroid and share them with your partner manually. That way, it's at least physically restricted to your immediate surroundings.

Every device can be hacked, every cloud can be broken. All those ICloud leaks could have been avoided, plus a lot of drama. It doesn't mean you can't make any nudes, just use tech that is too ancient to become a problem.

As a golden rule of thumb: Any and each information you spread to the internet, is permanently stored. And - in doubt - is accessible by at least one more person other than yourself. Keeping that in mind is paramount to understand the world wide web.

So DO NOT share any information you do not want to get accidentally leaked.

Of course this is still a terrible crime (OP linked story) and Google + the repair shop have to be held responsible. Still, you should always expect other people to behave like an a** - to deceive, cheat, fraud, lie or fool - that's the way of life for many.

Ergo life is, most often or not, about making sure that you do not share any vulnerable sides unnecessarily. At least if you want to avoid trouble.
 
Last edited:

Gytole

Senior Member
Aug 7, 2013
575
338
What I don't get is when I sent my phones back it SPECIFICALLY states to factory reset the phone? Do people not read? Also, if you don't want your nudes to be seen don't take any? Like...EXPECTATIONS<REALITY
 
  • Like
Reactions: NippleSauce

bobby janow

Senior Member
Jun 15, 2010
6,109
2,148
What I don't get is when I sent my phones back it SPECIFICALLY states to factory reset the phone? Do people not read? Also, if you don't want your nudes to be seen don't take any? Like...EXPECTATIONS<REALITY
How do you propose to do that if the phone is not able to turn on or connect to an external source? If this story is actually true, and I have my doubts, this would be the time you eat the cost of the device and put it in a drawer or smash it to smithereens.
 

NippleSauce

Senior Member
Jun 23, 2013
309
155
What I don't get is when I sent my phones back it SPECIFICALLY states to factory reset the phone? Do people not read? Also, if you don't want your nudes to be seen don't take any? Like...EXPECTATIONS<REALITY
I agree with ya here. To me, this stuff seems like common sense (which the world's population seems to be losing). My thoughts are:
If you don't want your nudes stolen, don't take nudes in the first place. Even if you're not shipping your phone somewhere for repair, your pictures are still getting uploaded to Google Photos and can be snatched in other ways. But still, if you really want to take nude photos anyway, then you should put them into a locked folder within Google Photos just after taking them so that they're not immediately visible within the Photos app. Granted, I'm not sure if the jpg files of locked folder pictures would still be present in the normal "DCIM" folder... But I imagine they'd be hidden somewhere at the system level (which normally can't be accessed without root)...?

I should probably test this on my phone - but I'd have to take some nudes first, haha. (Jk, of course)
 
  • Like
Reactions: roirraW "edor" ehT

96carboard

Senior Member
Jul 17, 2018
543
311
for the most part, these people have no lock or biometrics on. and their screen is dead (so they think the phone is dead). but I agree, they should develop a tool but it wouldn't be easy. Have you tried running commands or whatever with a blank screen? its very difficult. but you're right, a tool that either locks or wipes the device would be awesome, no commands or messy fastboot menus for the user would help a ton.
It wouldn't be hard. Just running "fastboot format userdata" would clear it, so you don't need to mess with menus -- just power it on with the right volume button pressed. So really all the tool needs to do is monitor for fastboot on a USB and issue the format command.
 

roirraW "edor" ehT

Recognized Contributor
Google says Pixel repair privacy breach wasn’t from employees, new security instructions coming

Ben Schoon
- Dec. 8th 2021 8:23 am PT

Google has been under scrutiny this week as multiple reports of mail-in Pixel repairs resulted in compromised accounts and leaked photographs. Now, the company is saying that this breach of privacy wasn’t at the hands of Google employees, and the company will apparently update instructions for mail-in Pixel repairs and help customers lock down their data.

Speaking to The Verge, Google has said that an investigation of these privacy issues has confirmed that the account invasion was not from Google employees/Pixel repair techs. The company has not said where the breach came from at this point or where the invaded devices are. Transit seems like the most likely scenario at this point.
After a thorough investigation, we can say with confidence that the issue impacting the user was not related to the device RMA [Return Merchandise Authorization]. We have worked closely with the user to better understand what occurred and how best to secure the account going forward.
Google Spokesperon Alex Moriconi
To prevent this sort of issue in the future, too, Google will apparently start providing new instructions to help users lock down their accounts and data, presumably in addition to the current instructions that already recommend resetting the device before sending it in.
Specifics aren’t available, but Google apparently told Jane McGonigal that new security instructions for those who cannot factory reset their phone before sending it off for repair will be coming.
 
  • Like
Reactions: Lughnasadh

Top Liked Posts

  • There are no posts matching your filters.
  • 4
    What I don't get is when I sent my phones back it SPECIFICALLY states to factory reset the phone? Do people not read? Also, if you don't want your nudes to be seen don't take any? Like...EXPECTATIONS<REALITY
    How do you propose to do that if the phone is not able to turn on or connect to an external source? If this story is actually true, and I have my doubts, this would be the time you eat the cost of the device and put it in a drawer or smash it to smithereens.
    3
    yup. I just read the article. the guy on reddit who posted a few days ago admitted there was no lock on the screen. so who knows. they could have had an easy unlock code (1234, 1111) which is the same as having no unlock code pretty much. but yeah it'll be interesting to find out the truth.
    Still though. If it's true, the service provider is in the wrong either way. Locked or unlocked. Easy or hard.
    2
    Lesson learned don't take nudes lol
    1
    https://www.theverge.com/2021/12/4/22817758/broken-google-pixel-phone-privacy-leak

    Google says it’s investigating the latest report

    By Emma Roth Dec 4, 2021, 7:43pm EST


    After game designer and author Jane McGonigal sent her Pixel 5a to Google for repair, someone allegedly took and hacked her device. This is at least the second report in as many weeks from someone claiming they sent a Google phone in for repair, only to have it used to leak their private data and photographs. McGonigal posted a detailed account of the situation on Twitter on Saturday and advised other users not to send their phones in for repair with the company.

    In October, McGonigal sent her broken phone to an official Pixel repair center in Texas. She tweeted later that Google said it never received the phone, and during the ensuing weeks, she was charged for a replacement device.

    “THE PHOTOS THEY OPENED WERE OF ME IN BATHING SUITS, SPORTS BRAS, FORM-FITTING DRESSES, AND OF STITCHES AFTER SURGERY”
    But according to McGonigal, FedEx tracking information shows the device arrived at the facility weeks ago. Late Friday night — a few hours after she says she finally received a refund for the device — someone seems to have used the “missing” phone to clear two-factor authentication checks and log in to several of her accounts, including her Dropbox, Gmail, and Google Drive.

    The activity triggered several email security alerts to McGonigal’s backup accounts. However, she speculates that whoever has the phone may have used it to access her backup email addresses and then dumped any security alerts into her spam folder.

    “The photos they opened were of me in bathing suits, sports bras, form-fitting dresses, and of stitches after surgery,” McGonigal writes. “They deleted Google security notifications in my backup email accounts.”

    In a statement emailed to The Verge, Google spokesperson Alex Moriconi says, “We are investigating this claim.” It’s still unclear whether the device might have been intercepted within the repair facility or while it was in transit, or who has it now. Google’s official repair instructions recommend backing up and then erasing a device before sending it in. Still, as Jane McGonigal points out, that’s either hard or impossible, depending on the damage.

    The whole situation reminds us of the security concerns whenever we hand over our devices for repair, and unfortunately, such activity has precedent. In June, Apple paid millions to a woman after repair technicians posted her nude photos to Facebook. Apple recently said it would start selling DIY repair kits, giving users the chance to fix their own phones, or at least have the task done by someone that a user trusts, as opposed to sending it in or dropping it off at an Apple Store.

    For Pixel phones, your options for official service are either via mail-in or, in some countries, local service through an authorized provider. In the US, Google partners with uBreakiFix franchises. Whatever phone you have, the options for repairs are still somewhat limited, and you end up having to trust that no one with bad intentions will get their hands on your phone while it’s out of your possession.
    1
    Google says Pixel repair privacy breach wasn’t from employees, new security instructions coming

    Ben Schoon
    - Dec. 8th 2021 8:23 am PT

    Google has been under scrutiny this week as multiple reports of mail-in Pixel repairs resulted in compromised accounts and leaked photographs. Now, the company is saying that this breach of privacy wasn’t at the hands of Google employees, and the company will apparently update instructions for mail-in Pixel repairs and help customers lock down their data.

    Speaking to The Verge, Google has said that an investigation of these privacy issues has confirmed that the account invasion was not from Google employees/Pixel repair techs. The company has not said where the breach came from at this point or where the invaded devices are. Transit seems like the most likely scenario at this point.
    After a thorough investigation, we can say with confidence that the issue impacting the user was not related to the device RMA [Return Merchandise Authorization]. We have worked closely with the user to better understand what occurred and how best to secure the account going forward.
    Google Spokesperon Alex Moriconi
    To prevent this sort of issue in the future, too, Google will apparently start providing new instructions to help users lock down their accounts and data, presumably in addition to the current instructions that already recommend resetting the device before sending it in.
    Specifics aren’t available, but Google apparently told Jane McGonigal that new security instructions for those who cannot factory reset their phone before sending it off for repair will be coming.