Old Xbox 360s can give up credit card info to hackers

Researchers show how used and refurbished Xbox 360 units can be mined for personal information

Researchers at Drexel University have told Kotaku that used Xbox 360s can be hacked with common tools to get at personal information stored on the hard drive, including old credit card numbers. Drexel researchers Ashley Podhradsky and Cindy Casey, alongside Dakota State University's Pat Engebretson, purchased a refurbished Xbox 360 last year and cracked it open with a basic modding tool found online.

"Microsoft does a great job of protecting their proprietary information, but they don't do a great job of protecting the user's data," said Podhradsky. "I think Microsoft has a longstanding pattern of this. When you go and reformat your computer, like a Windows system, it tells you that all of your data will be erased. In actuality that's not accurate-the data is still available. So when Microsoft tells you that you're resetting something, it's not accurate."

For users concerned about completely clearing their personal information, Podhradsky recommends unhooking the hard drive from your 360, hooking it up to a PC, and using a third-party program to cleanly wipe the data. Otherwise, seasoned hackers will have no problem finding the same informationa given the same tools.

"A lot of them already know how to do all this," she said. "Anyone can freely download a lot of this software, essentially pick up a discarded game console, and have someone's identity."

Microsoft Xbox security general manager Jim Alkove told Joystiq that the company was looking into the issue.

"We are conducting a thorough investigation into the researchers' claims. We have requested information that will allow us to investigate the console in question and have still not received the information needed to replicate the researchers' claims," Alkove said in his statement.

"Xbox is not designed to store credit card data locally on the console, and as such seems unlikely credit card data was recovered by the method described. Additionally, when Microsoft refurbishes used consoles we have processes in place to wipe the local hard drives of any other user data. We can assure Xbox owners we take the privacy and security of their personal data very seriously."

Related stories

Microsoft gaming business up 8%

Xbox One X launch drives year-over-year revenue growth for the holiday quarter

By Brendan Sinclair

Microsoft will add direct game sales to Mixer in 2018

The streaming service will also add on-platform tipping this year

By Matthew Handrahan

Latest comments (6)

Private Industry 5 years ago
That`s why should never do a lazy formatting but a proper formatting :)

It might be more something along the lines of restoring the profile data and getting the credit card data out of that.
0Sign inorRegisterto rate and reply
Andrew Goodchild Studying development, Train2Game5 years ago
But if it was restoring the profile to see card data, pretty sure the console only shows the last 4 digits, plus to restore a profile I'm pretty sure you need the windows live password.
It does worry me on my WP7 I can't set it to require a password for purchases.

Edited 1 times. Last edit by Andrew Goodchild on 31st March 2012 3:08pm

0Sign inorRegisterto rate and reply
Alan Pierce Programmer, Digital Delight5 years ago
Sounds to me like it's nothing to do with recovering the profile. More like examining the hard drive sectors to retrieve the files.
0Sign inorRegisterto rate and reply
Show all comments (6)
Craig Page El Presidente, Awesome Enterprises5 years ago
Who cares? My credit card number gets stolen every year anyway, if someone had my old refurbished xbox 360 the credit card information on it would be two versions behind anyway. Sorry would be thieves but you're too late, the first thieves to get my number already went on a shopping spree at gas stations and walmarts.
0Sign inorRegisterto rate and reply
robert troughton Managing Director, Coconut Lizard5 years ago
What about all the 360s that were returned to MS due to RRODs only to be replaced with a refurbished one? My son's Xbox had an RROD after only 6 weeks... we sent it to Microsoft in pristine condition - they sent us someone else's refurbished Xbox back complete with scratches on top and front. I wonder whether either had their data completely wiped?
0Sign inorRegisterto rate and reply
Jeff Wilson5 years ago
If you do sell your old XBox remove the Hard Drive and sell it as an Arcade version (no risk of data theft).

The article stated that Windows does not fully delete data on reformat. But, most data is very difficult to fully recover if you reformat a PC with Windows.

For those concerned about integrity of data destroy your old hard drive or buy a 3rd Party hard drive reformatting software that writes zeros to the surface of the hard drive sectors. It takes a few hours but it is worth it.
0Sign inorRegisterto rate and reply

Sign in to contribute

Need an account? Register now.