Xbox 360 hard drive retains credit card information after factory reset

By on April 2, 2012, 4:00 PM

A group of researchers from Drexel University claim that data left behind on an old Xbox 360 hard drive is susceptible to theft, even after the drive has been reset to factory defaults.

During a phone interview with Kotaku, Ashley Podhradsky told the publication that Microsoft does a great job of protecting their proprietary information but ultimately is doing a disservice to their customers by not doing a better job at keeping their personal data protected from would-be thieves. 

The team came to this conclusion after they purchased a refurbished Xbox 360 last year from an authorized Microsoft retailer. They were able to download readily-available modding tools and used them to access the hard drive. It took a bit of work but eventually the crew was able to locate and access the previous owner’s credit card information.

A credit card is needed to pay for items via Xbox Live, including game downloads, add-ons and the service subscription itself. Jim Alkove, general manager for Microsoft Interactive Entertainment Business told CNET in a statement that the Xbox is not designed to store card holder’s information and that it seems unlikely that data was recovered this way.

Microsoft has requested information from the Drexel researchers that will allow them to investigate the matter further but as of writing, that information hasn’t been provided.

"We can assure Xbox owners we take the privacy and security of their personal data very seriously," Alkove said.

We’ll keep an eye on this story as it develops but in the meantime, it might not be a bad idea to keep that old hard drive and either connect it to a PC to properly wipe it or physically destroy it if you don’t plan to reuse it.

User Comments: 6

Got something to say? Post a comment
Guest said:

Well now this is public information, the credit card information is definitely going to safe. /sigh

amstech amstech, TechSpot Enthusiast, said:

Well yeah it works like any hard drive.

Wiping/formatting/re-partitioning doesn't truly erase the old data.

I've pulled data off drives that have been reformatted more then once, and I mean low level format = wiped.

So Microsoft can't deny it I am glad they did a undeniable test.

m4a4 m4a4 said:

This makes it sound like the Credit Card is stored on the 360's harddrive. There is no way that the CC would be stored locally.

So if anything, they accessed the "erased" XBL profile, logged in, and then could use the CC to potentially purchase content (not use the CC outside of XBL).

So it isn't nearly as bad as this makes it sound. If you made it so that you have to sign in before accessing XBL, you are "safe".

Guest said:

What a crock !

My grandmother serves cookies after lunch too.

I love it when sites serves up FUD.

Guest said:

A wipe is not just reformating. Use something like DBAN (Dariks Boot and Nuke) and then maybe you can feel safe. If your really paranoid you can physically shred it at some places.

Guest said:

The credit card details are not on the console, only the profile, that has an authorization for a credit card. But Microsoft provides all the tools on the console to protect your Xbox account; just explore the menus, read the instructions, all the safety documents and terms of use, and if you follow al the instructions Microsoft provides you there will be no unauthorized charges or even access on your Xbox account. As a matter of fact, Xbox is the most safe gaming system by far.

Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.