A group of researchers at Drexel University have demonstrated a method of recovering credit card details and other sensitive information from used Xbox 360s, even after they have been "reset to factory defaults." The method is straightforward and uses readily available tools. Ashley Podhradsky, one of the Drexel researchers, says, "Microsoft does a great job of protecting their proprietary information. But they don't do a great job of protecting the user's data."
Which is to say that Microsoft is spending a lot of money and resource in ensuring that your Xbox 360 only runs software that is authorized by Microsoft (like Apple and iOS and Nintendo and the Wii/3DS, Microsoft charges money for the right to sell software that will play on your device). But they don't pay any particular attention to protecting your interests as the owner of the device.
What's more, the Digital Millennium Copyright Act, which regulates the breaking of software locks, makes it illegal to investigate the internal workings of devices like the Xbox 360, and to publish the details of your findings, where those findings might also aid people in choosing to run unauthorized software on their own property.
Podhradsky, along with colleagues Rob D'Ovidio and Cindy Casey at Drexel and Pat Engebretson at Dakota State University, bought a refurbished Xbox 360 from a Microsoft-authorized retailer last year. They downloaded a basic modding tool and used it to crack open the gaming console, giving them access to its files and folders. After some work, they were able to identify and extract the original owner's credit card information.
We reached out to Microsoft for comment on this issue, but as of press time, they have not yet responded.
Podhradsky isn't even a gamer, she says. For seasoned modders and hackers, the process might be even easier.
"A lot of them already know how to do all this," she said. "Anyone can freely download a lot of this software, essentially pick up a discarded game console, and have someone's identity."
…"I think Microsoft has a longstanding pattern of this," Podhradsky said. "When you go and reformat your computer, like a Windows system, it tells you that all of your data will be erased. In actuality that's not accurate—the data is still available… so when Microsoft tells you that you're resetting something, it's not accurate. There's a lot more that needs to be done."