Hackers Can Steal Credit Card Information From Your Old Xbox, Experts Tell Us

You might not want to sell or give away your Xbox 360 any time soon. Not without taking a hammer to the hard drive.

Even restoring your console to factory settings won't remove some of the data it stores, according to an ongoing study from researchers at Drexel University. And with a handful of common tools, hackers and modders can dig into a system's hard drive and excavate your credit card number or other personal information.

Speaking to Kotaku in a phone interview today, researcher Ashley Podhradsky said Xbox publisher Microsoft is doing a "disservice" to its customers by not doing a better job of keeping personal data protected.

"Microsoft does a great job of protecting their proprietary information," she said. "But they don't do a great job of protecting the user's data."

Podhradsky and colleagues Rob D'Ovidio, Pat Engebretson, and Cindy Casey, who all study digital forensics at Drexel, bought a refurbished Xbox 360 straight from Microsoft last year. They downloaded a basic modding tool and used it to crack open the gaming console, giving them access to its files and folders. After some work, they were able to identify and extract the original owner's credit card information.

Podhradsky isn't even a gamer, she says. For seasoned modders and hackers, the process might be even easier.

"A lot of them already know how to do all this," she said. "Anyone can freely download a lot of this software, essentially pick up a discarded game console, and have someone's identity."

So what should you do if you want to get rid of your Xbox 360 but you don't want your personal information compromised? Podhradsky recommends detaching your 360's hard drive, hooking it up to your computer, and using a sanitization program like Darik's Boot & Nuke to wipe everything out. Just reformatting the system isn't enough.

We reached out to Microsoft for comment on this issue, but as of press time, they have not yet responded.

"I think Microsoft has a longstanding pattern of this," Podhradsky said. "When you go and reformat your computer, like a Windows system, it tells you that all of your data will be erased. In actuality that's not accurate — the data is still available... so when Microsoft tells you that you're resetting something, it's not accurate.

"There's a lot more that needs to be done."


    And that is exactly why I held onto my hard drive when I threw out my Xbox. Come to think of it, I might as well pop it in my computer, seeing as I'm not getting another Xbox.

    I'm safe because my old box is in pieces with most of the parts ripped off in a failed attempt to fix the RROD :P

    Lucky i don't have to worry, my xbox hard drive melted in my xbox.

    Wiping the HDD with DBAN is all well and good but aren't you effectively bricking your console as the HDD will have no OS on it?

      nothe system has its OS on the mobo. This study is complete bull shit the only information your console contains is achievements and DLC info.

        then where did they get the CC information from? magical fairy wishes?

      Surely you could load XBMC or something similar over the top?

    You cannot erase the Xbox 360 OS since it's not stored on the HDD, it's stored on the ROM or NVRAM which is small in size, meaning it's not even above 50MB. Data manipulation as of DBANning cannot brick or damage your drive since all that's on there is your personal info, system settings, bank details (If you have put them on there) and gaming data. Besides, the Xbox 360 reformats the drive once you put it back in there to use it on the console again, no harm done.

Join the discussion!

Trending Stories Right Now