back to article Buying a second-hand hard drive on eBay? You've got a 'one in two' chance of finding personal info still on it

You would think that, with computers dominating every aspect of our lives, people would be aware that storage devices can retain information even after clicking "Empty Recycle Bin". Not so, according to research by Finnish data removal specialist Blancco. The company purchased 159 random used drives on eBay in the US and …

  1. Anonymous Coward
    Anonymous Coward

    Not my experience.

    Drives were empty/zeroed when purchased off Ebay/local stores second hand IIRC.

    However, I tent to purchase nice, nearly new or power seller drives (SSDs).

    *BUT* 100% of drives from friends/family/repairs needed me zeroing them, because obvs the user never does.

    I tend to know the risks of over provisioning/dead sectors and am willing to take the risk, as super low chance that sector contained my entire passport I never scanned in. But I'd not force others to do the same, but do find it funny when they cut all the power cords, snap the ram sticks, but leave the HDD unscaved!

    1. Anonymous Coward
      Anonymous Coward

      Re: Not my experience.

      The retail blue card box packaging of the Crucial MX500 has a flaw in that you can remove the drive from the side of the box without damaging the security seal. Due to the way the hinge is produced by cutting the card, a tampered one doesn't look that different from new, as the modification 'tampering' appears similar to the hinge of the box.

      Why do I know this? Because I received a 'brand new' Crucial MX500 SSD from Amazon.co.uk, which had being tampered with. I didn't take any chances, the drive was sent back.

      Firmware modification is all too real, if you work with sensitive data and you can be targeted by just where the drive is being sent to and why certain companies have decoy 'customer' deliveries to test that the powers that be, aren't modifying their Retail kit based on a Postcode, without their knowledge prior to the target using/receiving it.

  2. Will Godfrey Silver badge
    Thumb Down

    Playing with fire

    There is no way I'd even think about getting a second hand drive from anywhere. New ones are cheap enough, and likely to be far more reliable - that's not even starting on the risks associated with what might be on a used one.

    1. Anonymous Coward
      Anonymous Coward

      Re: Playing with fire

      That depends. Try buying 16 SAS drives for a home server including a 400gb SSD new for less than a grand... Where as I've managed to build the whole thing for £230 using second hand drives (also scored a win 2012 r2 OEM HP install on one of the drives too. Literally plug and play).

    2. Anonymous Coward
      Anonymous Coward

      Re: Playing with fire

      >There is no way I'd even think about getting a second hand drive from anywhere

      Quite, chances are it's had a very hard life in a data centre raid array before you become the proud owner of a bag o' shite.

      1. CrazyOldCatMan Silver badge

        Re: Playing with fire

        chances are it's had a very hard life in a data centre raid array

        One place I worked, we had a policy of never putting HDDs from the same batch into the same RAID array due to the fact that they tended to have similar failure times.. (*after* we got bitten twice by it).

        We also had a policy of replacing HDDs of the same batch in other arrays if several had already failed elsewhere. Mind you, those HDDs got destroyed rather than resold.

    3. This post has been deleted by its author

  3. Nate Amsden

    for hdds

    I like to harvest the magnets. hard disk magnets are so strong. I probably have 30 or 40 of them just from my own drives over the past 15 years or so. Most recently took apart 3 x 750GB drives that I hadn't used since about 2010 to get their magnets. Had to invest in a good torx set though(from PB Swiss tools in my case, I am far from a handy man and had only come across them trying to find good quality torx), as the cheap ones get stripped really easily. Before I had the good tools sometimes I would have to resort to brute force to remove the magnets and sometimes could not get to them at all. And before the recent tool acquisition I was never able to remove any of the hard disk platters.

    I suspect my drives aren't very usable after I am done harvesting their magnets.

  4. Chris Hills

    In my experience

    You have a 3 in 4 chance the seller doesn't package it properly and it gets damaged in transit, or when in falls to the floor through the letterbox.

  5. mark l 2 Silver badge

    It is not just hard drives that can be left with data on them. I purchased a used PC from a 'computer re-furbisher' around 5 years ago and it came with a CD in the optical drive with a several documents related to the M.O.D. which were marked as sensitive. Ironically they had sold it without a hard drive included, probably because the hard drives has to be destroyed.

    1. Fred Dibnah Silver badge

      To paraphrase Brad Pitt, “That’s the sensitive shit, Man!”

    2. John Brown (no body) Silver badge

      "several documents related to the M.O.D. which were marked as sensitive."

      That's a little odd. I assume it was a contractor doing work for the MoD. Actual MoD kit doesn't get removed from site if it has any form of long term storage, which pretty much mean everything except the case (re-writable firmware could be used to exfiltrate data). Even warranty repairs get charged back to them for parts because the faulty parts can't be taken off site and are retained for destruction. Theoretically it only applies to kit that's been used anywhere for anything classified as a "Secret" or above, but in reality that's pretty much everything as kit gets moved around and/or re-deployed.

  6. dnicholas

    I broke my phone early last year and ended up buying a second hand one to tide me over. It was full of home made porn. Makes you wonder if they did it on purpose... Though it wasn't that good tbh!

    1. BebopWeBop Silver badge
      Joke

      I'm glad (for all our dakes) you did a quality check..

  7. JeffyPoooh
    Pint

    I read that the UK MoD has the following policy...

    1) They never sell retired disk drives

    2) They crush them

    3) But since the particles may still contain tiny slivers of data, they burn the bits to ashes (above the Curie temperature)

    4) Then they pack the ashes into drums and seal them up

    5) Then they put the drums into permanent storage in the locked basement dungeon of an old castle

    6) Which is on the secure grounds of an active military base with 24-hour surveillance

    Just what I've read somewhere... ...probably El Reg.

    1. jgarbo
      Devil

      Re: I read that the UK MoD has the following policy...

      You forgot 7) Guarded by hungry seven-headed dragon fired from GoT.

      1. Manolo

        Re: I read that the UK MoD has the following policy...

        Or a "Beware of the leopard" sign?

        1. Chunky Munky

          Re: I read that the UK MoD has the following policy...

          Had the lights gone?

          1. DuncanLarge Silver badge

            Re: I read that the UK MoD has the following policy...

            I'm sure the stairs had.

            1. This post has been deleted by its author

            2. Peter X

              Re: I read that the UK MoD has the following policy...

              Probably best to schedule the planet for demolition just to be on the safe side.

    2. TomPhan

      Re: I read that the UK MoD has the following policy...

      I thought they just left them in the back of taxis or on trains.

    3. Mr Humbug

      Someone who works in a defence establishment (where they make self-contained combined power supplies and propulsion units) told me that the normal procedure at the end of a project is to remove all the computer drives and bathe them in hydroflouric acid.

      My normal procedure for disposing of drives is much easier - it just requires a power drill

      1. Duffy Moon

        "My normal procedure for disposing of drives is much easier - it just requires a power drill"

        I prefer the more fun, and less power-hungry method - a BGH (Bloody Great Hammer).

  8. Steve @ Ex Cathedra Solutions
    FAIL

    Experience with SD Cards is similar...

    I have bought a lot of old 2Gb SD cards to keep some old kit that can't cope with larger cards running. Out of 12 I bought, 6 still had data, 1 failed and 5 were reasonably well wiped. All had been formatted, which is good, but only the 5 (from 1 seller) were fully wiped.

    There was personal data on all 6 of those that had data on, although only one had data I'd consider sensitive. I destroyed it all after testing of course.

  9. A.P. Veening Silver badge

    Securely erasing data

    nothing makes sure data is truly gone like taking a good old-fashioned angle grinder or industrial shredder to your storage device.

    Using them as targets for sniper target practice also works wonders, I've seen some results.

    1. Anonymous Coward
      Anonymous Coward

      Re: Securely erasing data

      "nothing makes sure data is truly gone like taking a good old-fashioned angle grinder or industrial shredder to your storage device."

      My preferred method is a portable induction heater. The alternating magnetic field erases the data while it is melting the disks.

    2. PickledAardvark

      Re: Securely erasing data

      Shortly after Y2K when my organisation decommissioned its Vax systems, I observed that the secure paper disposal outfit were feeding an RL02 pack through their lorry-mounted shredder. It took a long time.

      I have seen commercial hard drive shredders in action and they are stunning in the way that they munch a disk. An hour each way to drive to the facility and ten minutes for a mountain of drives to disappear. I also discussed the environmental and economic cost of shredding with the Eco person at a UK Tier Two PC supplier. The company's policy for re-using PCs was to scrap the disk owing to overall cost of a secure wipe. More recently, a multinational enterprise PC supplier quoted a £1 fee (never actually charged) to allow the owner to retain disks replaced following a service repair.

  10. sanmigueelbeer Silver badge
    Thumb Up

    I have been on a lookout for a good set of torx screws, particularly T6, T7 and T8.

    I take joy in disassembling the hard drives and using the platters as coaster. The magnets are cool too.

    1. Hey Nonny Nonny Mouse

      You'll find it difficult to get your hands on such a perfectly flat, first surface mirror for the price of a hard disk too, the glass platters are exceptional

  11. Jason Bloomberg Silver badge
    Facepalm

    Phones and tablets offer even more treasures

    When phone and tablets fail, when the battery dies or the charger port gets broken, there are an amazing number of people who choose to flog them cheap at car boot and garage sales. Presumably imagining they've made a couple of quid by scamming someone into buying something which is useless.

    I haven't bought one yet which hasn't automatically logged itself in to email accounts and whatever sites have been signed-up to when powered on.

    It amuses me to think they are likely sitting in a pub with their mates laughing at what a mug I must have been.

  12. Anonymous Tribble

    I've bought two or three hard drives on ebay. All except one of them had been totally wiped. The one that haden't been wiped appeared to have belonged to an estate agent. Nothing had been deleted at all. There were directories full of photographs of houses with addresses and full details of the owners.

    I've never sold a disk. I keep them until they die or are unusable. Then I dismantle them (keep the magnets, of course) and ensure nothing can be recovered from the platters. The most recent disks I destroyed were from where I worked at the time. One platter was melted with a blow torch. Another was ground down to aluminium filings with an angle grinder, and one sat in an acid bath for a couple of days which removed the magnetic coating leaving just a perfectly clear glass 2.5" disk :-)

  13. Anonymous Coward
    Happy

    Uh??

    What's with this "keeping the magnets" thing? Is it some sort of sexual thing that I should know about?

    For what it's worth, I get rid of my drives by bunging them through the furnace that I operate at work. I don't know where they disappear to , but disappear they do.

    Happy Friday y'all

    Cheers… Ishy

    1. Anonymous Tribble

      Re: Uh??

      "What's with this "keeping the magnets" thing? Is it some sort of sexual thing that I should know about?"

      Yeah, that's how I pin the Wife Tribble to the fridge.

    2. Francis Boyle Silver badge

      Re: Uh??

      You haven't lived until you've magnetised your Prince Albert.

    3. 's water music

      Re: Uh??

      What's with this "keeping the magnets" thing?

      commentards investigating how the fucking things work like any good juggalo engineer

    4. John Brown (no body) Silver badge

      Re: Uh??

      "What's with this "keeping the magnets" thing?"

      Magnets are magic! More magnets means more magic! Lots of magnets is better than playing with Lego.

    5. Duffy Moon

      Re: Uh??

      Magnets, bitch!

    6. Omgwtfbbqtime

      Re: Uh??

      Welding (cheaper than a good welding magnet

      Adding mass to an anvil

      Keeping screws/bolts together when working under the car.

      stick it to the bottom of your oilsump (on old cars - stops the ground off shards recirculating with the oil - just remove it before you drain the sump)

      There are countless uses for a good strong magnet in the garage.

  14. zaax

    A few months ago I purchased a couple of filing cabinets from Homebase they were both 1/2 full with documents including payslips. A car which still had the previous owners cd's; a phone with interesting photos.

  15. phuzz Silver badge
    Alert

    DBAN

    Is there any newer alternatives to DBAN?

    It's always worked just great for me, but it doesn't seem to have been updated since 2015, so I'd be worried that it might not cope with more modern storage (eg NVMe). What about using the Secure Erase ATA command (eg this)?

    I'd be interested to hear other commeter's opinions.

    1. Graham Cobb Silver badge

      Re: DBAN

      I like the idea of "enhanced secure erase" (the feature where the drive firmware encrypts all data going onto the platter and then can be told to forget the key). Unfortunately it doesn't seem to be universally implemented yet, even on the latest very large disks (10TB and above), -- where it is obviously the most useful.

      Anyone have a handy list of which manufacturers/ranges include it?

      Of course, I assume that even that has a backdoor for law-enforcement access (presumably a special command, or special firmware can retrieve the last used password). Fortunately I have no illegal information to store and I think it would be good enough for stopping identity theft.

      Until it is available on all my disks, I have started using LUKS disk encryption on all disks (and will throw away the password when I decommission the disk, or it dies). I am looking forward to this meaning that next time I replace a disk I can actually just drop it in my recycling box instead of having it join the pile of disks in the attic that I will take an angle grinder to "one day".

    2. John Brown (no body) Silver badge

      Re: DBAN

      "so I'd be worried that it might not cope with more modern storage (eg NVMe)."

      I sorta assumed that to decommission and SSD would require writing to the disk until it's full, possibly at least twice since, unlike mechanical disks, you don't know where you are writing to and TRIM/wear levelling is designed to write the next data block to the least used memory cells. This also means, I assume, that the so called secure delete utilities probably don't even delete a file at all, let alone securely. Unless anyone knows differently.

  16. Anonymous Coward
    Anonymous Coward

    DBAN

    https://sourceforge.net/projects/dban/

  17. TomPhan

    Who gets rid of old IT kit?

    Shirley everyone reading here has mountains of equipment that they've hung onto for decades - that 2mb flash card will come in useful one day.

    1. Cris E

      Re: Who gets rid of old IT kit?

      No one is getting any of *my* personal porn off the stacks of 1.44mb disks up in the attic.

      1. John Brown (no body) Silver badge

        Re: Who gets rid of old IT kit?

        ...or my boxes of fan-fold ASCII-ART porn.

        1. Anonymous Tribble

          Re: Who gets rid of old IT kit?

          My wife made me get rid of my ASCII art collection :-(

          I'd had it for about 20 years, ever since I rewrote the code in COBOL to print it out on the Bull mainframe at work overnight.

  18. Anonymous Coward
    Anonymous Coward

    Never trust a secondhand drive you haven't personally recovered from a known secure source, too easy to install a hidden port, may be stolen, or contain images that could put you in jail (yes I know someone that happened to) as well as being worn out. EOL hard drives are best dismantled after secure multi-pass over writing if possible, then discs destroyed, shredded if metal, shattered if glass.

    1. John Brown (no body) Silver badge

      "EOL hard drives are best dismantled after secure multi-pass over writing if possible, then discs destroyed, shredded if metal, shattered if glass."

      If you're going to shred or shatter the platters, why waste time doing a secure multi-pass over write?

      1. Anonymous Coward
        Anonymous Coward

        I normally take my old drives out to the rifle range. After a couple of .30/30 rounds, no one's recovering much from the platters. Plus, it's a fun Saturday afternoon!

      2. John Brown (no body) Silver badge

        I'm curious about the downvote. Is there someone out there who thinks a shredded or shattered platter can be re-assembled and the data recovered?

  19. chrismevans

    We covered this subject in a podcast in February. It was remarkably easy to find devices with data on them. https://storageunpacked.com/2019/02/87-storage-media-reuse-versus-recycling/

  20. Anonymous Coward
    Anonymous Coward

    Used photo copiers?

    I know a guy who has a company set up to do short term copier rentals. Depending on who calls, the rate is either sky high or very, very cheap but all depends on the customer. If their business isn't wanted, a BOFH like excuse is given to imply if things were just a bit different the rates would be outstanding to keep the reputation at the right level.

    Some lucky customers get a newly serviced machine swapped in every month for nearly nothing. Those customers tend to be the offices of his political opponents. None has ever asked to have the hard disk swapped.

  21. Anonymous Coward
    Anonymous Coward

    Curiosity leads to far too much information

    I discovered PhotoRec a few years ago after misdirecting a format command to the wrong drive. I'm sure you've been there. I also happened to pick up a few used SCSI disks around the same time as part of a PC-tinkering itch to play around with various controllers that used to be the stuff of dreams but now are completely redundant.

    The previous owner had removed the partitions. Being a curious sort, I pointed PhotoRec at one or two of them. They must have belonged to a recruitment agency or similar, as vast quantities of photographs of passports, driving licenses, and various other identification docs were immediately recovered. No encryption of course.

    Nice to know your personal data is being so carefully handled, no?

    A blast of DBaN cleared the drives out good enough to me from recovering any more, though DBan and Sledgehammer might be necessary to stop the truly determined!

    Obviously this was all pre-GDPR but one has to wonder if it would now be possible to file a lawsuit on behalf of those whose data was not suitably disposed? There is the minor problem that identifying those individuals in the first place to tell them employment agency X has screwed up would itself be a contravention of GDPR. So how does one ever get justice over sloppy handlers...?

  22. Anonymous Coward
    Anonymous Coward

    Many, many moons ago, as a young IT sprog, I had a job swapping out hard drives on Gummerment 386s buried in a chamber under a RAF base in the South of England.

    Under escort by armed guard, the base techie and I carried our highly valuable, nearly new drives to a place of execution, where a third body proceeded to smash each one to bits with a sledge hammer before shredding and incineration.

    That taught me a bit about real security.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020