None of us would willingly hand our phones over to someone if we thought they were going to steal and leak our personal data—but recent reports indicate some Apple and Google repair staff are doing just that.
Author and game designer Jane McGonigal is the latest high-profile victim of a scheme to intercept a phone sent in for repair and use it to find and leak personal data. According to McGonical’s Twitter thread, the phone was apparently “lost” in Google’s repair facility, so she bought a replacement. Weeks later, the seemingly missing phone was used to access and steal photos and other sensitive data. McGonigal says the thief “opened a bunch of selfies hoping to find nudes” based on activity logs.
This has happened before, and not just to Pixel users. Several replies to McGonigal’s original Tweet allege similar situations where photos, data, and even money were stolen through phones sent to Google for repairs. And back in June, Apple paid a $2 million settlement to a woman who had nude photos stolen and leaked by iPhone repair technicians working on her phone.
Hopefully, Apple and Google will start soon begin allowing US users to perform a wider range of repairs at home without risking their device’s functionality, but for now, sending your broken phone in by mail or handing it over to a repair technician are the only options for most people. So how do you keep your photos, files, and accounts safe from snooping repair technicians, thieves, or anyone else who gets their hands on your phone?
Well, the obvious preventative measure is to keep all sensitive data off your devices and accounts at all times. Unfortunately, that’s not always feasible. We all have personal data on our devices we don’t want folks to see—I don’t just mean nudes or illicit texts, but financial information, saved passwords, and more.
That’s why it’s worth taking the time to prepare your device before sending it in for repairs. The most important thing is to move sensitive data saved somewhere else. You could move it to a separate cloud drive unlinked from your Google Drive or iCloud account, or save it on a local hard drive. Bonus points if it’s encrypted. After that, sign out of your accounts and, if possible, perform a factory reset.
But that won’t help if your device is unusable, or you’ve already sent it in. In that case, sign into your account(s) from another device and turn on 2FA and login alerts wherever possible, and update your passwords. You can also monitor which devices are actively signed into your Google or iCloud accounts. If you get an unexpected login alert or notice suspicious activity, you can use Apple’s Find My app or Android’s “Find my Phone” feature to sign out of devices remotely from a browser.
Unfortunately, these aren’t sure-fire solutions: As we saw in McGonigal’s case, the thief knew how to hide what they were doing and circumvent McGonigal’s attempts to thwart their activity. Still, keeping an eye on your accounts could stop someone from accessing your data and apps if you catch any suspicious activity in time.