What Happens When You Sell Your Old Phone Without Wiping It

Category: Mobile Security | Reading Time: 7 minutes

IN THIS ARTICLE

1. Why this is more dangerous than most people realise

2. What data is actually left on your old phone

3. What a stranger can do with that data

4. Does a factory reset fully protect you

5. How to properly wipe your phone before selling

6. What to do before you wipe — back up first

7. Frequently asked questions

Every year millions of people upgrade to a new phone and sell, donate, or trade in their old one. Most people do a quick factory reset and assume their data is gone. Some do not even bother with that.

What actually remains on that device is something most people never think about — until it is too late.

According to a study by the cybersecurity company ESET, a significant number of second-hand devices purchased from online marketplaces contained recoverable personal data from their previous owners — including login credentials, photos, and banking information. The previous owners had no idea.

This article explains exactly what is left on your old phone, what someone with the wrong intentions can do with it, and the correct steps to take before your phone leaves your hands.

Why This Is More Dangerous Than Most People Realise

Your phone is not just a communication device. Over the years you have used it, it has quietly become a detailed record of your entire life.

Think about everything stored on the device you are holding right now:

Your photos and videos — including personal, private, and family moments.

Your contacts — the names and numbers of everyone you know.

Your saved passwords — many apps stay logged in automatically without requiring a password each time.

Your banking and payment apps — some of which may still be accessible without a PIN if the phone is reset incorrectly.

Your emails — which may contain bank statements, booking confirmations, identity documents, and years of personal communication.

Your browsing history — showing the websites you visit, what you search for, and sometimes saved login details.

Your chat history — months or years of private conversations across multiple messaging apps.

Your location history — a detailed log of everywhere you have been.

The UK consumer group Which? conducted an investigation into second-hand phones and found that devices sold without being properly wiped contained enough personal data to put their previous owners at serious risk of identity theft and financial fraud. Many of those sellers believed their data had already been deleted.

Now imagine all of that in the hands of a complete stranger. That is exactly what happens when a phone is sold without being properly wiped.

What Data Is Actually Left on Your Old Phone

When you delete a file on a phone — a photo, a message, a document — the file is not immediately destroyed. The phone simply marks that storage space as available for reuse. The actual data remains on the storage chip until something new overwrites it.

This means that after a basic factory reset, a significant amount of your old data may still be physically present on the device — just hidden from view.

The UK's National Cyber Security Centre (NCSC) warns that simply deleting files or performing a standard factory reset is not always sufficient to remove personal data from a device before selling or recycling it. The NCSC specifically recommends following manufacturer guidance for a full secure wipe.

Using freely available data recovery software — the kind anyone can download online — it is potentially possible to retrieve from an improperly wiped device:

Deleted photos and videos

Old messages and chat logs

Previously saved passwords

Email account data

Contacts and call logs

Documents and files the previous owner believed were deleted

The risk is highest on older Android devices. Newer phones — particularly those with full device encryption enabled by default — are significantly more resistant to data recovery after a proper wipe. The key word, however, is proper.

What a Stranger Can Do With That Data

Let us be specific about what someone could actually do if they purchased your old phone and recovered your data.

Access Your Bank and Payment Accounts

If your banking app was still logged in or your saved passwords were recoverable, someone could access your financial accounts directly. The Financial Conduct Authority (FCA) in the UK has highlighted that account takeover fraud — where criminals gain access to existing accounts — is one of the fastest growing categories of financial crime. Your old phone, sold without a proper wipe, could be the entry point.

Steal Your Identity

With access to your photos, emails, and documents, someone could collect enough personal information to impersonate you. According to Cifas, the UK's leading fraud prevention service, identity fraud reached record levels in recent years — and a significant proportion of cases involved personal information obtained from physical devices including old phones and laptops.

Access Your Email and Reset Every Account You Own

Your email is the master key to your digital life. The cybersecurity company Norton describes email account compromise as one of the most damaging forms of account takeover because it allows an attacker to reset passwords on virtually every other account — banking, social media, shopping, and more — using the forgot password feature.

Misuse Your Private Photos and Videos

Private photos recovered from old phones have been used for harassment, blackmail, and non-consensual sharing online. The Internet Watch Foundation (IWF) has reported cases where images were extracted from second-hand devices and used to harm the original owners. This is one of the most serious and personally damaging consequences of selling a phone without properly wiping it.

Use Your Contacts to Run Scams

With access to your full contact list, someone could send fraudulent messages pretending to be you — targeting your family, friends, and colleagues who trust your name. Action Fraud, the national reporting centre for fraud in the UK, regularly receives reports of this type of contact-list based fraud.

Expose Your Work Data

If you used your phone for work, an improperly wiped device could expose confidential business information, internal communications, client data, or company credentials. The Information Commissioner's Office (ICO) has issued fines to organisations whose employees disposed of work devices without following proper data erasure procedures — highlighting that this is treated as a serious data protection failure.

THIS IS NOT JUST THEORY: Research by the cybersecurity firm Avast found recoverable personal data — including photos, emails, and login details — on a high proportion of second-hand Android phones purchased online that had been factory reset by their previous owners.

Does a Factory Reset Fully Protect You?

A factory reset removes your data from view — but it does not always remove it from the device entirely. Whether it is enough to protect you depends on your phone model and whether encryption was enabled.

On Newer Phones With Encryption Enabled

Modern smartphones encrypt all data stored on the device by default. When you factory reset an encrypted phone, the encryption key is deleted. Without the key, any data remaining on the storage chip is scrambled and unreadable. In this case, a factory reset provides strong protection.

Apple has encrypted iPhones by default since 2014. Google made encryption the default on Android devices from Android 6.0 onwards, though some lower-end devices may still require manual activation.

On Older Phones Without Encryption

On older devices without full device encryption, a factory reset may leave recoverable data on the storage chip. The cybersecurity research team at Cambridge University demonstrated in published research that data could be recovered from a significant proportion of Android phones after a standard factory reset — particularly on devices running older versions of the operating system.

How to Check if Your Phone Is Encrypted

On Android: Go to Settings, then Security, then look for Encryption or Encryption and Credentials. If it shows the device is encrypted, you are well protected.

On iPhone: iPhones are encrypted by default as long as you have a passcode set. If you use any passcode, your iPhone is encrypted.

KEY POINT: Even on an encrypted phone, the NCSC and most cybersecurity organisations recommend following the full secure wipe process described below rather than relying on a basic factory reset alone.

How to Properly Wipe Your Phone Before Selling

Follow these steps carefully before your phone leaves your hands. The process takes around twenty to thirty minutes and is worth every minute.

For Android Phones — Step by Step

Step 1: Back up everything you want to keep before doing anything else. See the backup section below.

Step 2: Remove your accounts. Go to Settings, then Accounts, and remove every account linked to the device — your primary account, email accounts, and any others listed.

Step 3: Remove your SIM card and any external memory card. These are not wiped by a factory reset and must be removed manually.

Step 4: Encrypt the device if not already encrypted. Go to Settings, then Security, then Encryption. If available and not already enabled, encrypt the device before resetting. This makes any remaining data unreadable.

Step 5: Perform a factory reset. Go to Settings, then General Management or System, then Reset, then Factory Data Reset. Confirm and allow the process to complete fully.

Step 6: Leave the phone on the initial setup screen. Do not enter any accounts or personal information after the reset completes.

Google's official Android support documentation confirms that performing a factory reset on an encrypted device renders remaining data unreadable and is the recommended method for securely wiping a device before transfer.

For iPhones — Step by Step

Step 1: Back up your data to iCloud or a computer.

Step 2: Sign out of your Apple ID. Go to Settings, tap your name at the top, scroll down, and tap Sign Out. This is critical — if you skip this step, the phone remains linked to your account and the new owner will not be able to use it.

Step 3: Confirm Find My is disabled. This is usually handled automatically when you sign out. Check by going to Settings, your name, and confirming Find My is off.

Step 4: Remove your SIM card.

Step 5: Erase all content and settings. Go to Settings, then General, then Transfer or Reset, then Erase All Content and Settings. Enter your passcode if prompted and confirm. Allow the process to complete.

Apple's official support documentation states that erasing an iPhone using this method removes all data and settings by deleting the encryption keys, making data recovery effectively impossible.

DOUBLE CHECK: After wiping, turn the phone on and confirm it shows the initial language and region setup screen — not your home screen. If your home screen appears, the wipe did not complete. Repeat the process.

What to Do Before You Wipe — Back Up First

Wiping your phone permanently deletes everything on it. Before doing anything else, back up the data you want to keep.

What to Back Up

Photos and videos — Transfer to a computer via USB cable, or confirm your cloud photo backup is fully synced and up to date.

Contacts — Sync to your primary account so they transfer automatically to your new phone.

Messages — Screenshot important conversations or use your messaging app's built-in backup feature.

App data — Check important apps for an export or backup option. Some apps store data locally which will be permanently lost after a wipe.

Two-step verification codes — If you use an authentication app for two-step verification, back up your account codes before wiping. Losing these can lock you out of important accounts permanently.

How to Back Up

On Android: Go to Settings, then Google, then Backup. Confirm backup is enabled and tap Back Up Now to force an immediate backup. Wait for it to complete.

On iPhone: Go to Settings, tap your name, then iCloud, then iCloud Backup, and tap Back Up Now. Wait for the backup to finish before doing anything else.

The UK's Information Commissioner's Office (ICO) advises that backing up data before wiping a device is an essential step that is frequently overlooked — and that losing access to backed-up data is one of the most common complaints received after people wipe devices without preparing first.

TAKE YOUR TIME: Do not rush the backup step. Confirm the backup is complete and recent before starting the wipe process.

Frequently Asked Questions

Is it safe to sell my phone after a factory reset?

It depends on your phone model and whether encryption is enabled. On modern phones with encryption turned on by default, a factory reset provides strong protection. On older phones without encryption, deleted data may be recoverable. Following the full steps in this article gives you the best protection regardless of your phone model.

What should I do with a phone that is too old to sell?

Do not simply throw it away. Electronics contain materials that are harmful to the environment if disposed of in regular waste. The Environment Agency recommends using a certified electronics recycling programme. Before dropping off any device, follow the full wipe process — recycling centres handle many devices and you cannot guarantee who will access yours.

Does removing my SIM card protect my data?

Removing the SIM card protects your phone number and any data stored on the SIM itself — such as some contacts on older phones. It does not protect the data stored on the phone's internal storage, which includes your photos, apps, messages, and account information. Always follow the full wipe process in addition to removing the SIM.

Can someone recover my data even after following all these steps?

If you follow the full steps in this article — encrypting the device and performing a proper factory reset — the risk of meaningful data recovery is extremely low. As Apple and Google both confirm in their official documentation, a factory reset on an encrypted device destroys the encryption keys, making any remaining data effectively unreadable.

What if I lost my phone and cannot wipe it manually?

Use the remote wipe feature. Google's Find My Device service allows you to remotely erase an Android phone from any browser. Apple's Find My service allows you to remotely erase an iPhone from icloud.com. The wipe command is sent the next time the phone connects to the internet.

Should I remove my accounts before or after the factory reset?

Always remove your accounts before the factory reset. Removing accounts first ensures they are properly delinked from the device. Relying on the reset to remove account links can cause problems — particularly on Android where the account may remain linked after reset, preventing the new owner from setting it up.

Does selling through a trade-in programme mean my data is automatically wiped?

No. Trade-in programmes and retailers do not guarantee your data is wiped before the device is resold or recycled. The consumer rights organisation Which? specifically advises customers to wipe their own devices before handing them over, regardless of what the trade-in programme promises. Your data is your responsibility.

Related Articles

- How to Remotely Wipe Your Phone If It's Lost or Stolen | CyberSafe

The Bottom Line

Selling your old phone is something most people do without a second thought. But as research from organisations including ESET, Avast, and Which? has consistently shown, the personal data left on improperly wiped devices puts previous owners at real and serious risk.

Your photos, your passwords, your emails, your bank access — all of it deserves the same protection you would give your wallet or your house keys.

The steps in this article take less than thirty minutes. Compared to the damage that unprotected access to your personal data could cause, that is thirty minutes very well spent.

Wipe your phone properly. Back up first. Remove your SIM. Sign out of every account. Then sell with confidence.

Share this article with anyone who is about to upgrade their phone. Most people do not know the risk until it is too late — and a single share could save someone a serious amount of trouble.