I received a supposedly new product yesterday from Amazon or an Amazon reseller. What I received apparently was a refurbished item. On booting it up I discovered it had two Google accounts associated with it and probably active based on the age of the device.
Anyway, Pocketables is now funded through a generous anonymous donation from two people I’ve never heard of….
I kid… I saw that there were Google accounts already on the device, took a quick pic, tossed the email addresses a note telling them what I received, and suggested they go to google and revoke permissions. I factory reset the item, verified there were no straggler files sitting around in a download directory or something similar as I do not want to be in possession of other people’s stuff.
Company involved is investigating at the moment. Highly suspect an RMA scenario with a bad power supply and a mix up on return/resell pile.
Device I’m dealing with does not require authentication to get into as it’s an Android TV box, which means I probably had access to anything they hadn’t locked down (Play Store purchases, email, etc.)
Do this before that Android tech leaves your house
On Android / Android TV devices verify the downloads folder is empty and then factory reset the device. I’ve factory reset several devices in the past and discovered stragglers in downloads. Shouldn’t be going forward on Android devices, but that’s what’s happened way in the past.
In the scenario I encountered I highly suspect that the unit that I got was unable to start so that the people could get in and remove their accounts. This is generally what happens when people RMA stuff. In that event you should go to your account’s security page and revoke authorizations for login. On Google you go to myaccount.google.com click security, Manage all Devices under Your Devices, find what you’re RMAing and remove authorization from it.
This will prevent future access to your account in the event that you’re unable to get into the device (destroyed screen, blown battery, bad PSU, etc). In the case of an Android TV device, remember it’s linked to your account and if you granted it authorization a rogue bad actor getting a refurb might have access to your emails / account.
Factory resetting a device is probably more than enough, but why take the risk?
Things like Tile and Samsung Bluetooth trackers are bound to your account. Don’t like them? Make sure to remove them from the tracker app you’ve got or the idiot resellers on Amazon will resell your tracker and you’ll get the address of where your tracker ended up showing on the tracker app.
You’ll also force that person to 1) receive a product they can’t use because these trackers offer no ability to resale people to see if they’re active or not, 2) contribute to a whole lot of wasted effort.
Don’t trust recycling to do it
I’m going to skip the long story and say just don’t trust any company to wipe your data securely before reselling the product as used. I’ve got some horror stories and there’s a reason no hard drive leaves my work intact or without a full fill-up after multiple wipes.
Assume that anything that doesn’t require a password to access is a thief’s delight
While I have purchase password / biometric authentication on for anything that costs money, getting access to my email might be fairly easy through a stolen Android TV device… I’ve got to check that out. They generally require no password to boot up and start playing, have access to the Play Store, and probably you’re not thinking to revoke authorizations after having been robbed.
Eh, anyway, be safe, think before you RMA or after you’ve been robbed. Thief + VPN enabled router + your email and an unlocked device probably = problems.