Researchers at Drexel University have told Kotaku that used Xbox 360s can be hacked with common tools to get at personal information stored on the hard drive, including old credit card numbers. Drexel researchers Ashley Podhradsky and Cindy Casey, alongside Dakota State University's Pat Engebretson, purchased a refurbished Xbox 360 last year and cracked it open with a basic modding tool found online.
"Microsoft does a great job of protecting their proprietary information, but they don't do a great job of protecting the user's data," said Podhradsky. "I think Microsoft has a longstanding pattern of this. When you go and reformat your computer, like a Windows system, it tells you that all of your data will be erased. In actuality that's not accurate-the data is still available. So when Microsoft tells you that you're resetting something, it's not accurate."
For users concerned about completely clearing their personal information, Podhradsky recommends unhooking the hard drive from your 360, hooking it up to a PC, and using a third-party program to cleanly wipe the data. Otherwise, seasoned hackers will have no problem finding the same informationa given the same tools.
"A lot of them already know how to do all this," she said. "Anyone can freely download a lot of this software, essentially pick up a discarded game console, and have someone's identity."
Microsoft Xbox security general manager Jim Alkove told Joystiq that the company was looking into the issue.
"We are conducting a thorough investigation into the researchers' claims. We have requested information that will allow us to investigate the console in question and have still not received the information needed to replicate the researchers' claims," Alkove said in his statement.
"Xbox is not designed to store credit card data locally on the console, and as such seems unlikely credit card data was recovered by the method described. Additionally, when Microsoft refurbishes used consoles we have processes in place to wipe the local hard drives of any other user data. We can assure Xbox owners we take the privacy and security of their personal data very seriously."