Microsoft's Xbox 360 might not be protecting user data after the console is restored to factory settings, according to a new report.
In an interview with gaming blog Kotaku, Ashley Podhradsky, a researcher at Drexel University, said when Xbox 360 owners trade in their consoles after restoring the device to factory settings, their personal data might be left open to malicious hackers.
"Microsoft does a great job of protecting their proprietary information," Podhradsky told Kotaku. "But they don't do a great job of protecting the user's data."
Podhradsky, along with other researchers at the university, bought a refurbished Xbox 360 last year. Soon after, they downloaded some modding software, took aim at the device's hard drive, and eventually accessed the previous owner's credit card information.
The researchers' findings dredge up the decades-long debate over the safety of formatting a hard drive. For years, Windows users have attempted to wipe their drives completely clean, only to discover that much of the data, while not readily viewable, is still there. Specialty tools have been developed to give users the desired effect of totally erasing old data.
Now that the issue might have made its way to the Xbox 360, a new round of concerns might arise. For one, users share their credit card information through the Xbox 360 to sign up for Xbox Live. If that data is still logged somewhere on the drive even after the device has been restored to factory settings, it might make some wonder if they should retain their old drives and destroy them after use.
According to Kotaku, Podhradsky recommends removing the hard drive from the console, hooking it up to a PC, and using a third-party tool to properly format it.
Still, it's important to note that re-creating the hack isn't necessarily easy and requires some know-how.
But Microsoft isn't so convinced of the researchers' findings. In a statement to CNET, Microsoft Interactive Entertainment Business security general manager Jim Alkove said the software company has "requested information that will allow us to investigate the console in question and have still not received the information needed to replicate the researchers' claims." What's more, he says, the information presented publicly doesn't necessarily coincide with the Xbox's functionality.
"Xbox is not designed to store credit card data locally on the console, and as such it seems unlikely credit card data was recovered by the method described," Alkove told CNET. "Additionally, when Microsoft refurbishes used consoles we have processes in place to wipe the local hard drives of any other user data.
"We can assure Xbox owners we take the privacy and security of their personal data very seriously," Alkove said.
Update 10:28 a.m. PTto include Microsoft's statement.