4

Two Pixels returned to Google for warranty service were used to hijack accounts,...

 2 years ago
source link: https://www.androidpolice.com/google-pixels-warranty-stolen-nudes-hijack-accounts/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
neoserver,ios ssh client

Two Pixels returned to Google for warranty service were used to hijack accounts, stealing 'nudes' and money

By Ryne Hager

Published 2 days ago

One anonymous report on Reddit and another from game designer and NYT-bestselling author Jane McGonigal in the last week

Over the week, two Pixel owners have publicly reported that devices sent back to Google for warranty service and replacement were used to violate their privacy. In one instance, someone allegedly took "nudes" from the device and posted them on a customer's social media account before stealing a small sum via PayPal. Game designer and New York Times bestselling author Jane McGonigal also later tweeted out her own report detailing someone's attempts to secure similar information from her account, trawling her Gmail, Google Drive, and other data backup sources after she sent her phone to Google for repair.

The first report was delivered via a post last Wednesday (December 1st) to the r/legaladvice subreddit and originated from a multiple-year-old account. Though we attempted to reach out to the author for more information last week, they weren't interested in talking at the time. Unfortunately, the original account and all related comments have since been deleted. The internet never forgets, though:

Attribute to Android Police if you reblog please

In short, the author's wife damaged her Pixel and sent it to Google for an RMA. The phone couldn't be wiped as it wouldn't power on, and a lock screen password or PIN was not set. One month after the phone was sent in, social media accounts for the author's wife were hijacked to show nude images of the author and his wife. "Hundreds of people have now seen my penis including our friends kids."

The hijacker also tried to lock the customer from their Google account. A PayPal account was also accessed, and a small $5 sum of money was stolen — possibly a "test" for a larger amount later. The customer tracked down these unauthorized logins to Texas, and location data from the Find My Device tool reportedly pointed to the same building that Google had the phone sent to for repair. The post's author reportedly conteacted Google regarding the issue and filed a police report.

One random report on Reddit isn't much to trust in isolation, but game designer and New York Times bestselling author Jane McGonigal chimed in over the weekend with her own story, documenting a similar issue she had with Google's warranty service. In this case, the phone McGonigal sent to Google for repair reportedly "disappeared" after delivery, and she'd been trying to get help from the company to find it.

Yeah, don't send your Google phone in for warranty repair/replacement. As has happened with others, last night someone used it to log into my gmail, Drive, photos backup email account, dropbox, and I can see from activity logs they opened a bunch of selfies hoping to find nudes

— Jane McGonigal (@avantgame) December 4, 2021

In this case, those with access to her phone weren't able to find the images that they'd hoped for, but her accounts, including Gmail and Dropbox, were accessed. Those who infiltrated her phone were also smart enough to adjust her email settings to try to hide security messages, deleting them and marking them as spam so she'd be less likely to see them. Activity records showed they accessed images of McGonigal "in bathing suits, sports bras, form-fitting dresses, and of stitches after surgery."

McGonigal tried to erase and lock the device remotely through Google's Find My Device tool, but those attempts apparently weren't successful.

The hacker changed my gmail settings to mark all security messages from Google as spam, so when I checked my spam folder that's where all the security alerts went while they were hacking me

— Jane McGonigal (@avantgame) December 4, 2021

In both cases, the phones couldn't be factory reset before being sent to Google, and both devices were sent to Texas (presumably the same facility) for warranty service. A secure screen lock may have helped in the case of the Reddit report (it isn't clear if McGonigal had an authentication mechanism configured) and it's a security practice we should all follow. However, it's still not something you can add to your phone before sending it in for service if, for example, the screen doesn't work, and certainly no reason to excuse a criminal invasion of their accounts and property.

With how much of our lives happens on our phones, this sort of privacy violation is terrifying, especially considering these two possible instances both happened under the apparently less-than-wary watch of either Google itself or an authorized contractor. We reached out to Google for more information regarding these two reports, but the company did not immediately respond to our questions. If and when we do hear more, we'll let you know.

Apple had to pay a customer millions of dollars just earlier this year when the same thing happened on a repaired iPhone. Best Buy's Geek Squad service also reportedly stole and circulated a customer's nude photos back in 2011-2013. 48 states in the US have so-called "revenge porn" laws that make the redistribution of "nudes" a criminal act in most places, and civil lawsuits against the companies responsible for repairs in these circumstances, like those listed above, tend to pay out very heavily.

About The Author

615515d410841-Cropped%20Close%20Avatar.jpg?fit=crop&w=100&h=100

Ryne Hager (2851 Articles Published)

Ostensibly a senior editor, in reality just some verbose dude who digs on tech, loves Android, and hates anticompetitive practices. His only regret is that he didn't buy a Nokia N9 in 2012. Email tips or corrections to ryne at androidpolice dot com.

More From Ryne Hager


About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK