Microsoft is investigating claims made by a university research group that hackers can easily access credit card data stored on secondhand Xbox 360s.
As reported by Kotaku, a team from Drexel University in Philadelphia, USA, claim to have ripped bank card numbers from a pre-owned Xbox using basic modding tools downloaded from the web.
"Microsoft does a great job of protecting their proprietary information, but they don't do a great job of protecting the user's data," said researcher Ashley Podhradsky.
She went on to recommend that anyone getting rid of a console should use a sanitisation program like Darik's Boot & Nuke to ensure their system's hard drive is completely wiped clean. Just reformatting it doesn't do the job, she argued.
"I think Microsoft has a longstanding pattern of this. When you go and reformat your computer, like a Windows system, it tells you that all of your data will be erased. In actuality that's not accurate - the data is still available... so when Microsoft tells you that you're resetting something, it's not accurate."
Microsoft has since issued a formal response to the claims, insisting it's carrying out a full investigation.
"We are conducting a thorough investigation into the researchers' claims. We have requested information that will allow us to investigate the console in question and have still not received the information needed to replicate the researchers' claims," Jim Alkove, general manager of Microsoft's security of interactive entertainment business, told Joystiq.
Alkove moved to reassure customers that Drexel University's findings seem "unlikely".
"Xbox is not designed to store credit card data locally on the console, and as such seems unlikely credit card data was recovered by the method described. Additionally, when Microsoft refurbishes used consoles we have processes in place to wipe the local hard drives of any other user data," he said.
"We can assure Xbox owners we take the privacy and security of their personal data very seriously."