An amateur researcher who goes by the nickname @greentheonly on Twitter, and describes himself as a “Tesla tinkerer that’s curious about how things work,” recently gained access to 13 media control units (MCUs) that were removed from different Tesla vehicles during repairs and refurbishments.

The MCU of a Tesla car is the infotainment system where you on a large touch-screen can run Netflix, YouTube, Spotify or connect to WiFi, just to mention a few. And of course, you are also able to store phone numbers of your contacts, which is considered private information and should not be stored lightly.

In all of the 13 MCUs sensitive information was stored and accessible even though the MCUs were meant to be retired. Sensitive information such as, phone books from connected phones, phone call logs, calendar entries, personal notes for example passwords stored in plaintext, locations for home, work, and all other places navigated to, and session cookies that allowed access to Netflix and YouTube (and attached Gmail accounts).

All 13 of the devices showed that their last location was at a Tesla service point, hence removed by an authorised Tesla technician for whatever the reason.

@greentheonly states that he bought the MCU off of eBay, except for one which he got from a friend, and believes that the official procedure for Tesla while calling for removed MCUs is that if the MCUs is intact it should be sent back to Tesla, otherwise it should be physically destroyed and thrown into the trash. But, it looks like some Tesla service employees sell intact units on the side.

So, again. Always remember to factory reset your device before you return it to the rental company, sell it, throw it away or, depending on the situation give it for others to use. No matter if it is a TV, cell phone, or nowadays, a car.

Written by Joakim Rosell