Report Suggests Credit Card Info Remains On “Wiped” Xbox 360s

As if still ongoing issues with Xbox Live security weren’t enough, a report that suggests that credit card and other personal info remains on a ‘wiped’ Xbox 360 is like digital icing on a very stinky old cake. That’s gone mouldy.

“You might not want to sell or give away your Xbox 360 any time soon,” said Kotaku over the weekend. “Not without taking a hammer to the hard drive.”


According to a report from researchers at Drexel University, it’s trivial enough to “dig into a system’s hard drive and excavate [a] credit card number or other personal information.”

“Microsoft does a great job of protecting their proprietary information,” said researcher Ashley Podhradsky. “But they don’t do a great job of protecting the user’s data.”

Microsoft have today responded.

“We are conducting a thorough investigation into the researchers’ claims,” said the manufacturer. “We have requested information that will allow us to investigate the console in question and have still not received the information needed to replicate the researchers’ claims.”

Microsoft say that the Xbox is not designed to store credit card data locally on the console.



  1. “We are conducting a thorough investigation into the researchers’ claims”

    It is good that they are looking into it, but the fact that they have to look into it at all shows a lack of confidence as far as i am concerned.

    Granted, i haven’t liked reports of their blinkered approach to the hacks & theft, but why wouldn’t you say something along the lines of “the console architecture does not allow for storing of personal information” for PR sakes if nothing else! They could still look into it even if they said this.

    Not that anyone would appreciate being lied to though.

    • Actually, that’s pretty much exactly what they said. If you follow the Joystiq link…

      “Xbox is not designed to store credit card data locally on the console, and as such seems unlikely credit card data was recovered by the method described.”

      Very coy word usage mind you, “not designed to” vs “does not” still leaves them wriggle room if cornered but takes the heat off for now in the hope the media will forget about this and move on (which they will, this isn’t a Sony story so why bother right?)

      Btw nofi, this was soooo last Thursday’s news. MS didn’t respond ‘today’ either, that was last Friday (US). Did you write this on Saturday then forget to hit publish before going o the pub? ;)

  2. At least MS are responding rather than a ‘phishing’ style excuse.

  3. It seems odd that it would store that data on the xbox itself, i mean, i presume that sort of user data is stored on an ‘accounts’ server somewhere.
    What about the PS3 and could the same thing happen?

  4. Well then, its a damn good job me and a friend of mine smashed up our 360’s last year instead of deciding on selling them. Unless the rats in the scrap heap can hack bank accounts. Otherwise I think we’ll be fine :)

    • Ah, i wondered why i saw those rats dressed as pimps earlier.

  5. Jeez….

Comments are now closed for this post.