Things haven’t been easy for Xbox 360 owners this year, especially after a string of stolen accounts left many without their games for weeks. Brace for more bad news: apparently, hackers can extract credit card information from old 360 hard drives.
The hack was discovered by researchers at Drexel University, who used a variety of mod tools to pull credit card info from refurbished 360s. The tools they used are said to be common, making it relatively simple to secure sensitive information.
What’s most shocking is that this can even be done on systems that have been reformatted to factory settings. Even though one assumes all of their data is wiped when they reformat the system, it seems some of it still left on the hard drive.
“A lot of them [hackers] already know how to do all this […] Anyone can freely download a lot of this software, essentially pick up a discarded game console, and have someone’s identity.”
The ease of use certainly makes this story all the more frightening, especially for those who trade in their consoles. With so many used 360’s out there, who knows how many people’s information is at stake?
Ashley Podhradsky, one of the researchers at Drexel suggests hooking up your 360 hard drive to your PC in order to reformat it, as there’s plenty of software out there that will get the job done.
The development is quite shocking, as it means just about every time someone trades in or sells an Xbox 360, they’re running the risk of having their credit card or personal information stolen. What reason would Microsoft have for keeping this data on the hard drive even after a factory reset?
I’ll be picking up a new 360 in a few days and was considering selling my old one, but after this incident that is definitely not an option. Let’s hope Microsoft addresses the issue soon, instead of taking so long to respond like with the stolen accounts.
[UPDATE] Microsoft has responded to the issue, stating (to Joystiq) that what the researchers claim is not possible. That being said, they are trying to get a hold of the console in question in order to replicate the researcher’s actions.
“We are conducting a thorough investigation into the researchers’ claims. We have requested information that will allow us to investigate the console in question and have still not received the information needed to replicate the researchers’ claims.
Xbox is not designed to store credit card data locally on the console, and as such seems unlikely credit card data was recovered by the method described. Additionally, when Microsoft refurbishes used consoles we have processes in place to wipe the local hard drives of any other user data. We can assure Xbox owners we take the privacy and security of their personal data very seriously.”
We’d still reccommend not trading in your Xbox 360’s until further information is revealed, but at least we can all breath a sigh of relief.
Follow me on Twitter @AnthonyMole