Don’t sell it just yet as Microsoft is currently investigating whether or not Xbox 360 hard drives retain the credit card information of past users – even if the console has been restored to factory settings.
The alleged security flaw was initially discovered by security researchers from two universities who purchased a refurbished Xbox 360 and used common modding software to drill into the file system, eventually mining their way straight to the previous owner’s financial information.
One of the researchers, Ashley Podhradsky shed a little light on the security of the console’s security structure, telling Kotaku, “Microsoft does a good job protecting its own proprietary information on the console, but doesn't take any steps to protect user data.”
Based on their findings, the researchers recommend that anyone interested in getting rid of their Xbox 360 console detach the hard-drive and hook it up to their regular PC to utilize the features of a program similar to Darik’s Boot & Nuke to remove all of the sensitive data.
Jim Alkove, Microsoft’s General Manager of Security of Interactive Entertainment Business reached out to Kotaku and gave the following statement:
We are conducting a thorough investigation into the researchers' claims. We have requested information that will allow us to investigate the console in question and have still not received the information needed to replicate the researchers' claims.
Xbox is not designed to store credit card data locally on the console, and as such seems unlikely credit card data was recovered by the method described. Additionally, when Microsoft refurbishes used consoles we have processes in place to wipe the local hard drives of any other user data. We can assure Xbox owners we take the privacy and security of their personal data very seriously.
Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet, “Like” us on Facebook or add us to your circle on Google+.