Credit card information is being reportedly picked clean from refurbished Xbox 360s, along with other personal information. Microsoft is investigating the claims.
Speaking to Kotaku, researchers from Drexel University - Ashley Podhradsky - said Microsoft needed to do more to protect user's data.
Microsoft does a great job of protecting their proprietary information, but they don't do a great job of protecting the user's data, she said.
Three researchers - Podhradsky, Rob D'Ovidio, and Cindy Casey, from Drexel and Pat Edgebreston at Dakota State University - purchased a refurbished Xbox 360 last year.
They downloaded a basic modding tool and used it to crack open the gaming console, giving them access to its files and folder. After some work, they were able to identify and extract the original owner's credit card information, Kotaku reports. The Web site contacted Microsoft, but didn't receive a response.
Podhradsky says she isn't a regular gamer so, theoretically, the process would be even easier for experienced hackers.
A lot of them already know how to do all this. Anyone can freely download a lot of this software, essentially pick up a discarded games console, and have someone's identity, she added.
For users wanting to sell their Xbox 360, the recommended advice is removing the hard drive and connecting it to your computer. Download a programme like Darik's Boot & Nuke program that removes all data.
I think Microsoft has a longstanding pattern of this. When you go and reformat your computer, like a Windows system, it tells you that all of your data will be erased. In actuality that's not accurate - the data is still available ... so when Microsoft tells you you're resetting something, it's not accurate, Podhradsky added.
Despite not commenting on the original Kotaku story, general manager of security for Microsoft's game business - Jim Alkove - said the claims were unlikely.
Xbox is not designed to store credit card data locally on the console, and as such seems unlikely credit card data was recovered by the method described ... [W]hen Microsoft refurbishes used consoles we have processes in place to wipe the local hard drives of any other user data. We can assure Xbox owners we take the privacy and security of their personal data very seriously, he said, despite the researchers claiming otherwise, while speaking to GameSpot.
We are conducting a thorough investigation into the researchers' claims, he added.
(reported by Jonathan Charles, edited by Surojit Chatterjee)