Hackers can steal credit card data from used Xbox 360s

Hackers can steal credit card data from used Xbox 360s

Summary: Security researchers at Drexel University and Dakota State University say they can extract credit card information from Microsoft Xbox 360s even after they have been restored to factory settings.


Update: Microsoft investigating used Xbox 360 credit card hack

Hackers can reportedly retrieve credit card data and other personal information from old Microsoft Xbox 360s. Even if the console is restored back to factory settings and its hard drive is wiped, researchers say they can pull off the feat. Ashley Podhradsky, Rob D'Ovidio, and Cindy Casey of Drexel University, along with Pat Engebretson at Dakota State University, bought a refurbished Xbox 360 from a Microsoft-authorized retailer last year. They then downloaded a basic modding tool, gained access to the console's files and folders, and eventually extracted the original owner's credit card information.

"Microsoft does a great job of protecting their proprietary information," Podhradsky told Kotaku. "But they don't do a great job of protecting the user's data." She says she isn't even a gamer, and warns console modders and hackers may find the process even easier. "A lot of them already know how to do all this. Anyone can freely download a lot of this software, essentially pick up a discarded game console, and have someone's identity."

Microsoft will need to verify whether or not all Xbox 360 hard drives, as well as USB drives that have had profiles transferred onto them, store the sensitive information and why the factory reset option isn't deleting this data. If this turns out to be the case, Redmond will have to offer instructions for what users can do to protect their credit card details, especially if they're looking to sell their console.

If you're looking to sell soon, I would personally recommend formatting the HDD yourself with some powerful software that writes 1s and 0s to it directly. Podhradsky specifically says Darik's Boot And Nuke tool gets the job done.

I have contacted Microsoft about this issue and will update you if I hear back.

Update: Microsoft investigating used Xbox 360 credit card hack

See also:

Topics: Banking, Hardware, Microsoft, Mobility, Security

Emil Protalinski

About Emil Protalinski

Emil is a freelance journalist writing for CNET and ZDNet. Over the years,
he has covered the tech industry for multiple publications, including Ars
Technica, Neowin, and TechSpot.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Umm, So what!

    So all you have to do is go steal an Xbox and hack it to get one card at a time.....

    Nobody will do this as it isn't worth the time, research like this is pointless...
    • Umm, so how about ...

      Or check out the next hotel xbox you see - and there are a LOT of people who book those whilst on leave.

      Any xbox with a recovered account (ie downloaded onto a loaned xbox) will also download this same profile information. No need to steal one at a time, use those already on your hotel provided xbox. One way to pay for that bill :)

      Also - try go remove those details from your xbox. You cant.
      You can swap them for another valid/active credit card, but you cant remove them.
      • Hotel, rental or friends....

        Thieves care about scale, they wants thousands of cards if not millions of card numbers, so checking into a hotel room to steal a card is still not going to get you there...
      • @ On-the-edge

        Are you still living in the 15th century? :|

        Eitherways, you're welcome to the 21st century :)
  • Hacking tools

    There are hacking tools to convert non-360 hard drives into usable drives, but not Microsoft OEM drives. I can't believe the researchers recommended a straight wipe without this caveat.

    Visit http://www.corelink.com/chicago-data-center.htm
  • Full Format

    Maybe XBox could update the consoles to do a full format when putting system back to factory settings?
  • Where is this information stored?

    Is it in the ROM or somewhere on the XBOX hard drive. The same issues affect computer users that just simply restore their computer to factory without secure wiping the hard drive first. This may even affect cell phone and tablet users that do not secure erase or have the ability to secure erase their device before selling it or giving it away.
  • Microsoft has already refuted this.

    MS has stated publicly that Card numbers are NOT stored on the XBOX device.

    Don't know why such an inflamatory title was placed on a snipit of a reposted report.
    • Then how did they do it?

      If that is true, how did the researchers get the data? It wouldn't be the first time MS refutes a claim that turns out to be false.
      • Good Question

        If they share that information we can find out, but up to know they have not shared that information with anyone including Microsoft.
  • Not surprised

    I am not surprised that microsoft is more worried about their data then users data. On a side note, anyone here have an xbox they want to sell?
  • So tired of all the hacking.

    I guess it's time to burn and destroy everything with a Cpu and go back to Clubs, Rocks & Fire..
    • Didn't you mean...

      ...Clubs, Spades, Hearts and Diamonds? I believe they won't hack into my credit card if they get my old-fashioned card deck :)