Over the week, two Pixel owners have publicly reported that devices sent back to Google for warranty service and replacement were used to violate their privacy. In one instance, someone allegedly took "nudes" from the device and posted them on a customer's social media account before stealing a small sum via PayPal. Game designer and New York Times bestselling author Jane McGonigal also later tweeted out her own report detailing someone's attempts to secure similar information from her account, trawling her Gmail, Google Drive, and other data backup sources after she sent her phone to Google for repair.

The first report was delivered via a post last Wednesday (December 1st) to the r/legaladvice subreddit and originated from a multiple-year-old account. Though we attempted to reach out to the author for more information last week, they weren't interested in talking at the time. Unfortunately, the original account and all related comments have since been deleted. The internet never forgets, though:

In short, the author's wife damaged her Pixel and sent it to Google for an RMA. The phone couldn't be wiped as it wouldn't power on, and a lock screen password or PIN was not set. One month after the phone was sent in, social media accounts for the author's wife were hijacked to show nude images of the author and his wife. "Hundreds of people have now seen my penis including our friends kids."

The hijacker also tried to lock the customer from their Google account. A PayPal account was also accessed, and a small $5 sum of money was stolen — possibly a "test" for a larger amount later. The customer tracked down these unauthorized logins to Texas, and location data from the Find My Device tool reportedly pointed to the same building that Google had the phone sent to for repair. The post's author reportedly conteacted Google regarding the issue and filed a police report.

One random report on Reddit isn't much to trust in isolation, but game designer and New York Times bestselling author Jane McGonigal chimed in over the weekend with her own story, documenting a similar issue she had with Google's warranty service. In this case, the phone McGonigal sent to Google for repair reportedly "disappeared" after delivery, and she'd been trying to get help from the company to find it.

In this case, those with access to her phone weren't able to find the images that they'd hoped for, but her accounts, including Gmail and Dropbox, were accessed. Those who infiltrated her phone were also smart enough to adjust her email settings to try to hide security messages, deleting them and marking them as spam so she'd be less likely to see them. Activity records showed they accessed images of McGonigal "in bathing suits, sports bras, form-fitting dresses, and of stitches after surgery."

McGonigal tried to erase and lock the device remotely through Google's Find My Device tool, but those attempts apparently weren't successful.

In both cases, the phones couldn't be factory reset before being sent to Google, and both devices were sent to Texas (presumably the same facility) for warranty service. A secure screen lock may have helped in the case of the Reddit report (it isn't clear if McGonigal had an authentication mechanism configured) and it's a security practice we should all follow. However, it's still not something you can add to your phone before sending it in for service if, for example, the screen doesn't work, and certainly no reason to excuse a criminal invasion of their accounts and property.

With how much of our lives happens on our phones, this sort of privacy violation is terrifying, especially considering these two possible instances both happened under the apparently less-than-wary watch of either Google itself or an authorized contractor. We reached out to Google for more information regarding these two reports, but the company did not immediately respond to our questions. If and when we do hear more, we'll let you know.

Apple had to pay a customer millions of dollars just earlier this year when the same thing happened on a repaired iPhone. Best Buy's Geek Squad service also reportedly stole and circulated a customer's nude photos back in 2011-2013. 48 states in the US have so-called "revenge porn" laws that make the redistribution of "nudes" a criminal act in most places, and civil lawsuits against the companies responsible for repairs in these circumstances, like those listed above, tend to pay out very heavily.

UPDATE: 2021/12/08 11:17 EST BY SCOTT SCRIVENS

Google is confident that it's not related to the device RMA

The Verge has updated its coverage to include the following statement from Google spokesperson Alex Moriconi:

"After a thorough investigation, we can say with confidence that the issue impacting the user was not related to the device RMA [Return Merchandise Authorization] ... We have worked closely with the user to better understand what occurred and how best to secure the account going forward."

This is in relation to the Jane McGonigal case, in particular, but there are still some pretty major unanswered questions. We still don't know exactly what happened to the phone or exactly how McGonigal's Google account was compromised. It could be that the phone was never actually delivered to the Google repair facility, but we may never know for sure.