When we hit "factory reset" on our gadgets, we expect all traces of sensitive information — all of it — to be wiped out — completely. Security experts have learned that with some basic hacking, credit card info stored on old Xbox 360 hard drives can be extracted. Sigh.
The flaw discovered by Drexel University researchers could be a catastrophic concern for any Xbox 360 owner who's sold their hard drive or entire console. After applying "basic modding tools" (many of which are said to be available for free online), the researchers hacked into a refurbished Xbox 360 and soon got ahold of the previous owner's credit card info.
One of the researchers, Ashley Podhradsky said that hacking into used Xbox 360 consoles and collecting the "erased" credit card data is relatively easy.
To protect your data, don't do a factory reset, but do this:
Podhradsky recommends detaching your 360's hard drive, hooking it up to your computer, and using a sanitization program like Darik's Boot & Nuke to wipe everything out. Just reformatting the system isn't enough.
"I think Microsoft has a longstanding pattern of this," Podhradsky said. "When you go and reformat your computer, like a Windows system, it tells you that all of your data will be erased. In actuality that's not accurate--the data is still available... so when Microsoft tells you that you're resetting something, it's not accurate.
Podhradsky didn't say whether the same hacks can be performed on other consoles with a hard drive such as the PS3 or even the Wii's limited flash storage.
Most people probably won't know how to hack into consoles, but you never know who will end up with the Xbox 360 you sell back to GameStop. If you've ever sold your old Xbox 360 or hard drive, we suggest monitoring your credit cards more closely to see if there's unauthorized activity.
Update: Microsoft's Jim Alkove, general manager of Microsoft's security of interactive entertainment business gave Joystiq the following response:
We are conducting a thorough investigation into the researchers' claims. We have requested information that will allow us to investigate the console in question and have still not received the information needed to replicate the researchers' claims.
Xbox is not designed to store credit card data locally on the console, and as such seems unlikely credit card data was recovered by the method described. Additionally, when Microsoft refurbishes used consoles we have processes in place to wipe the local hard drives of any other user data. We can assure Xbox owners we take the privacy and security of their personal data very seriously.