The nightmare that everyone hopes they will never have to face materialized a few days ago for Jane McGonigal, the victim of a hack of her Google Pixel sent to the Mountain View company for a repair. A common operation that often occurs, especially when it comes to smartphones produced by Google, which over the years have shown more than once to have obvious defects.
The problem this time, however, is not about the defect of the smartphone sent for repair, but about the absurd story that Jane McGonigal, author for the New York Times, told on Twitter, being also a public figure with a notification tick next to the name on the social blue.
Last October, McGonigal sent his broken smartphone to an official Google repair center located in Texas, USA: the first unexpected surprise was to receive an email informing, directly from the company, that the center has never received the smartphone you sent.
The package addressed to the repair center was sent via FedEx, with tracking information certifying that the package arrived at its destination, in the repair center. So, the package sent by McGonigal containing his Google Pixel 5A has mysteriously “disappeared” in the repair center, despite the fact that the tracking showed that it had been delivered.
The photos they opened were of me in bathing suits, sports bras, form-fitting dresses, and of stitches after surgery. They deleted Google security notifications in my backup email accounts.
— Jane McGonigal (@avantgame) December 4, 2021
As often happens, the user has put his mind in peace pending further investigations by the transport carrier and Google: when a package is lost it is easy for companies to try to discharge their responsibilities, and the process can go on for weeks before its resolution.
The refund for the lost device came on December 4th, but a few hours later Jane noticed that something was wrong with her Google account: As has happened to others, last night someone entered [using the smartphone sent for repair] into my Gmail, Drive, photo backup account, dropbox, and I can see from the activity logs that they opened some selfies hoping to find nude photos. The open photos were of me in a bathing suit, sports bras, tight clothes, and after surgery.
Is there a security problem with Google Pixels?
The suspicious activities were correctly reported via security emails on Gmail – and the user immediately tried to recover the Gmail password – but the attackers who “hacked” McGonigal’s Google Pixel have well thought of filtering as spam: the victim thus never received notifications about the fraudulent activities that were perpetrated without his knowledge. The user has tried to reset his device remotely, but this procedure is not possible if the device is not turned on and is connected to a Wi-Fi and GPS network.
Changing the Google Services password using the “lost” phone as a secure device, the attackers managed to compromise the recovery email as well, thus silencing any type of alarm. Only through the activity logs, which have not been deleted, is it possible to trace the history of the acts perpetrated before Jane McGonigal realized that something was wrong.
Join RealMi Central on Telegram, Facebook & Twitter
Google’s response was not long in coming: after the media fuss that the tweet generated, spokesman Alex Moriconi declared that the company is investigating what happened. There are many unclear aspects of this story, starting with the exact moment in which the Google Pixel 5 was intercepted: was it during transport with FedEx or when the product arrived at Google’s official repair center in Texas? Only further investigations will be able to clarify a matter which, unfortunately, does not seem to be an isolated case.
In fact, from our colleagues at Android Police, we learn of a post on Reddit, now deleted, in which a case very similar to the one described by McGonigal was reported. The post, which we report in the image below, was first posted on December 1st in the r/legaladvice subreddit, specializing in legal advice.
Needless to say, also in this case the victim of the hack was a woman: a month earlier she sent her Google Pixel for an RMA procedure, in the same repair center in Texas. The phone has been used to post nude photos of her and her husband on their social media accounts, especially Facebook and Instagram.: Imagine the shock of knowing that friends, family and children have viewed such intimate photos.
With everything our smartphones store inside, a privacy breach like the one just described is terrifying at the very thought. Especially if the user places total trust in the company they rely on, in this case, Google: the investigations will still have to clarify many obscure points on this matter, in particular, if there is involvement on the part of the carrier used for the transport (FedEx ). But only the idea that someone could spy on us through our phones sent for repair smacks of Black Mirror and destroys the fundamental relationship of trust that users place in a company.
And it is not only Google that is guilty, at least so far: this year the American giant Apple has paid a millionaire compensation for a story similar to the one just described, starring an iPhone sent for repair and nude photos circulated online by employees at the service. For now, the only way to really make sure you don’t run into problems when sending a product for repair is to factory reset the device.