Microsoft Denies Used Xbox Credit Card Hack 

Microsoft has said it is looking into reported allegations that hackers may be able to retrieve credit card information off an Xbox 360 -- even after the hard drive has been reformatted.

The initial report of the security issue came from researchers at Drexel University in Philadelphia, Pa. In it the researchers allege that even after restoring an Xbox 360 game console to factory settings, some personal data (including credit card information and billing address) is still stored on the HDD. It then  can be retrieved with the use of "basic hacking tools."

Speaking to Kotaku in a phone interview, researcher Ashley Podhradsky said that Microsoft is not protecting consumers from data theft if a flaw like this could easily be exploited.

"Microsoft does a great job of protecting their proprietary information," said Podhradsky. "But they don't do a great job of protecting the user's data."

According to the researchers' ongoing study, the team purchased a refurbished Xbox 360 from a gaming retail chain for test purposes. Once the system was loaded with custom modding software, the researchers were able to retrieve the previous owner's credit card information.

While Microsoft said that it was investigating the claims, it also went as far as to deny the allegations: "Xbox is not designed to store credit card data locally on the console, and as such seems unlikely credit card data was recovered by the method described," said Jim Alkove, general manager of Microsoft's security of interactive entertainment business, to Joystiq. "Additionally, when Microsoft refurbishes used consoles we have processes in place to wipe the local hard drives of any other user data. We can assure Xbox owners we take the privacy and security of their personal data very seriously."

While Microsoft conducts its own investigation into the matter, Podhradsky said the only way to be sure that your credit card information is kept safe when turning in a used Xbox 360 is to reformat it to default system settings, hook it up to a computer and use a third-party tool to securely wipe the drive.

About the Author

Chris Paoli is the site producer for and


  • Google IDs on Azure Active Directory B2B Service Now at 'General Availability'

    Microsoft announced on Wednesday that users of the Google identity and access service can use their personal log-in IDs with the Azure Active Directory B2B service to access resources as "guests."

  • Top 4 Overlooked Features of a Data Backup Strategy

    When it comes to implementing an airtight backup-and-recovery plan, these are the four must-have features that many enterprises nevertheless tend to forget.

  • Microsoft Bolsters Kubernetes with Azure Confidential Computing

    Microsoft on Tuesday announced various developments concerning the use of Kubernetes, an open source container orchestration solution fostered by Google.

  • Windows Will Have Support for Encrypted DNS

    Microsoft announced this week that the Windows operating system already has support for an encrypted Domain Name System option that promises to add greater privacy protections for Internet connections.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.