Expert: Credit Card Data On Old Xbox Hard Drives Is Vulnerable (Updated)

If you’ve ever gotten rid of an old Xbox 360 hard drive, a determined hacker could find a way to extract your credit card information from the device. As part of a study meant to expose Microsoft’s lax protection of consumer data, researchers bought a refurbished Xbox 360 and used hacking tools to plunder the device for info that identified the previous owner, as well as the owner’s credit card details. They say old data isn’t safe even if the hard drives have been formatted.

Kotaku spoke to a Drexel University researcher who took part in the experiment. What she has to say should frighten anyone who has ever upgraded an Xbox hard drive:

“A lot of them already know how to do all this,” she said. “Anyone can freely download a lot of this software, essentially pick up a discarded game console, and have someone’s identity.”

She recommends hooking your hard drive up to a PC and wiping it clean with a reliable program before discarding it. If you don’t want to go to the trouble, you may be best off hanging on to the old hard drive indefinitely or destroying it.

UPDATE: Microsoft sent this response to Joystiq:

“We are conducting a thorough investigation into the researchers’ claims. We have requested information that will allow us to investigate the console in question and have still not received the information needed to replicate the researchers’ claims.

“Xbox is not designed to store credit card data locally on the console, and as such seems unlikely credit card data was recovered by the method described. Additionally, when Microsoft refurbishes used consoles we have processes in place to wipe the local hard drives of any other user data. We can assure Xbox owners we take the privacy and security of their personal data very seriously.”

Hackers Can Steal Credit Card Information From Your Old Xbox, Experts Tell Us [Kotaku]


Edit Your Comment

  1. apasserby says:

    Best to literally destroy the drive. That goes for any hard drive in a machine you intend to dispose of.

    • extrudedcow says:

      A single pass of writing zeroes is sufficient on any modern drive. Destroying it is a waste of perfectly good hardware.

  2. Marlin says:

    Really? People can get CC’s a lot more easier than this. That and why should I subject myself to losing the value from selling said hard drive when, even if someone thought I was Paul Allen, its not as simple as it sounds to get information off.

    • GrandizerGo says:

      Well normally when your CC is stolen, they track where it could have been stolen from? Did you swipe it at a store that has employees that might have copied the #’s? Did you misplace it at some point for some time? The fact that you sold a drive maybe weeks ago or longer before your info is stolen makes it FAR easier for said people to NOT EVEN CONSIDER that this is how the CC was stolen…
      Plus, while it might not be simple for you, there are FAR more technically able people who can do this very easily.
      Google and DL a reputable DOD level drive level formatting program. Set it up to do it’s job, not just once, but 2 or more times to be safe / comfortable.

      • Marlin says:

        “Well normally when your CC is stolen, they track where it could have been stolen from?”

        No, It gets added to a datbase and unless it gets tied to a large ring/area the CC company just writes it off.

        Many times people know who took the card or the place it was used is local yet the CC company and police will not do anything.

  3. rpm773 says:

    Sure, it’s a vulnerability, but what are the practical implications? Buying used Xboxes to harvest they valid credit card numbers they *may* potentially hold seems like a lot of work and expense for a pretty sketchy payoff.

    I could see some miscreant kid doing this with the refurb unit he bought, thereby causing the original owner a hassle with the credit bureaus, but that’s about it.

    That doesn’t mean the original owner shouldn’t take steps to wipe it clean before disposing of it, though.

  4. Vox Republica says:

    BRB, buying as many used XBox 360 hard drives as I can for no particular reason that is certainly not at all nefarious.

  5. punkrawka says:

    Just another reason not to use your credit card to buy points and gold memberships. Buy the prepaid cards – they go on sale every so often anyway. There have been stories of auto-renewals that can’t be shut off, it’s too easy to make accidental purchases by repeatedly tapping “A” from the dashboard, etc. Just never even put your CC info straight into your Xbox – problems solved.

    • Mambru says:

      True sometimes they have good deals on amazon and you don’t even have to buy the card they e-mail you the code

  6. SPOON - now with Forkin attitude says:

    drill press.

    • scoosdad says:

      I have about a half dozen old IDE drives here that are waiting for a trip to a friend’s basement shop to get decommissioned by his drill press. More fun than opening them up to get at the platters inside.

      It’s the same feeling I get when I order a dumpster about once a year and throw out my accumulated clutter. Sorry, I have no life.

      • hansolo247 says:

        I think opening and dismantling hard drives is FUN.

        It should also be mentioned that once those platters are exposed to atmosphere, the ability to read anything off them diminishes almost completely. Pull the platters and touch them…and it’s pretty certain outside of the most advanced government agency no one is going to get data…and even if they do it will be snippets at best.

        BTW, newer platters are glass. The magnets are fun, too. I use them for my fridge. Be careful with them…you can crush a finger easily with them.

        • KyBash says:

          I used to love it when I had a stack of old hard disks — I’d lay my tools out like a reverse-manufacturing op, turn on the tv, and start stripping them down. It’d never take me long to get to where I could do it by touch, not having to look away from the tv.

          I could make over $40 an hour (from the scrap aluminum and copper) while watching movies!

          Since schools can’t sell old computers anymore (there’s now a state law that they’d have to remove the hard drives first, so they just throw the whole thing into the trash), those days are gone.

  7. GrandizerGo says:

    pop the drive out, open drive, pour in solvent, wait 5 minutes, pour out half of excess, close drive back up. Reinstall in Xbox.
    It is being sold as is anyways. :)

  8. Agent Hooter Enjoys Enhanced Patdowns says:

    This is why I take all of my old hard drives out into a field and put a number of bullet holes in them before discarding.

  9. hansolo247 says:

    Any device with CC info would be vulnerable to this…PS3 included (and even more so).

    It needs to be mentioned that this, as far as reading file systems on an old drive goes, falls into the “harder” category due to the specialized tools needed.

    There are plenty of laptops out there with even more information on them that you can just plug into a motherboard and go.

  10. Mr Grey says:

    I zero out all drives before I get rid of old computer hardware
    Active bits Kill Disk has a free version – tho a few bucks will get you a full version with a DoD spec zero wipe.

  11. some.nerd says:

    Don’t forget the credit card data in your original 13-pound Xbox console! That’s the main reason I haven’t sold/given it away/scrapped it yet. Forever in a plastic bin, it will remain… even more so since I lost my copies of Taito Legends and Midway Arcade Treasures 2… :(

  12. Gehasst says:

    dban ftw!

  13. HogwartsProfessor says:

    Trying to get the controller away from the kitteh will make your arm vulnerable.