Anyone selling, trading in, or recycling a phone risks handing over saved passwords, banking apps, photos, and account credentials to a stranger. Federal guidance from both the FTC and NIST spells out specific steps that go well beyond a quick factory reset, yet many sellers skip them entirely. The gap between what a standard reset actually removes and what a proper sanitization workflow erases is where identity theft begins.
Why a factory reset alone leaves phones exposed
A factory reset through the phone’s built-in menu is the step most people think of first, and it is necessary. But federal consumer guidance treats it as just one item on a longer checklist. The FTC advises sellers to back up files, sign out of every account, remove SIM and SD cards, and only then perform the reset. Skipping the earlier steps can leave cloud-synced data, saved Wi-Fi credentials, and payment tokens accessible to whoever powers the device on next.
NIST frames the problem in more technical terms. Its sanitization standard classifies data clearing into three tiers: Clear, Purge, and Destroy. A standard factory reset on most consumer phones maps roughly to the Clear level, which uses logical techniques to overwrite user-addressable storage. Purge goes further, applying media-specific commands that target areas a normal reset may not touch. Destroy renders the media physically unusable. The right tier depends on the sensitivity of the data stored on the device and the type of storage media inside it.
The hypothesis that phones processed through a full NIST Purge workflow before resale produce fewer account-takeover incidents than devices erased only via manufacturer resets is logical on its face, but no published federal dataset currently quantifies the difference. Neither NIST nor the FTC has released incident-level data tying specific sanitization methods to post-sale fraud rates. That absence of hard numbers does not weaken the federal agencies’ guidance; it simply means the measurable advantage of Purge over Clear for consumer phones has not been isolated in a public study.
FTC and manufacturer checklists that fill the gap
The FTC’s consumer advice on removing personal information before getting rid of a phone lays out a sequence designed to close the holes a reset alone leaves open. The order matters: signing out of accounts and unlinking the device from cloud services before wiping it ensures that authentication tokens tied to the phone are revoked server-side, not just deleted locally.
Apple’s preparation guide requires users to sign out of their Apple Account and disable Find My before erasing an iPhone or iPad. Failing to do so triggers Activation Lock, which can brick the device for the buyer and leave the seller’s credentials tethered to hardware they no longer possess. If the phone has already changed hands, Apple provides a separate process for removing a device from its location-tracking dashboard after the fact, but that assumes the seller still controls the associated account.
Google’s Android reset process similarly demands that the new owner sign in with a Google account after the wipe completes, a safeguard known as Factory Reset Protection. Sellers who skip the sign-out step before resetting can inadvertently lock the buyer out while keeping their own Google account exposed until server-side tokens expire or are revoked. That risk increases when sellers reuse passwords or leave recovery email addresses and phone numbers unchanged after the sale.
The FTC’s business-focused guide to protecting personal information extends the same principles to organizations that retire phones in bulk. It stresses inventorying devices, choosing disposal methods that match data sensitivity, and verifying that wipes or destruction actually succeed. While written for companies, the underlying logic applies to individual sellers: know what’s on the device, choose an erasure method that fits the risk, and confirm the result instead of assuming the reset worked.
For anyone preparing to sell a phone right now, the practical first step is to complete a full backup to a computer or cloud service, then sign out of every app and account on the device, remove the SIM card and any SD card, and finally run the manufacturer’s factory reset. On iPhones, confirm that Find My is disabled during the erase flow. On Android devices, verify that the Google account has been removed before initiating the reset. These steps take roughly ten minutes and close the most common gaps that a reset alone misses.
What no federal source has measured about post-sale phone data
Several questions remain open. No primary NIST or FTC dataset quantifies how often sold phones retain recoverable data after a factory reset alone. Neither Apple nor Google has published post-reset data remanence rates for their current hardware. And while the FTC links to identitytheft.gov as a reporting resource for consumers, no public records from that portal isolate incidents specifically tied to inadequately wiped consumer phones.
The absence of these numbers creates a blind spot for both regulators and consumers. Without baseline remanence data, it is difficult to know whether the Clear-level wipe built into modern smartphones with hardware encryption is functionally equivalent to a Purge-level sanitization for most people, or whether meaningful residual risk persists. Smartphone storage architectures have changed significantly since NIST first published its sanitization framework, and the Rev. 2 update accounts for newer media types, but consumer-facing testing data has not followed.
What sellers can act on today is the overlap between federal guidance and platform requirements. At minimum, that means treating a factory reset as the final step in a broader workflow rather than the whole process. It also means assuming that anything left signed in, synced, or physically attached to the phone at the moment of sale could be misused if the next owner is careless or malicious.
Individuals who handle especially sensitive information, such as health, legal, or financial records, may want to go further than default menus allow. That can include using vendor-provided tools to remotely wipe devices enrolled in management programs, confirming that backups are encrypted, or, in edge cases, choosing physical destruction over resale. Those decisions are ultimately risk calculations made without the benefit of granular federal statistics, but they align with the tiered approach NIST describes.
Until regulators or manufacturers publish more detailed measurements of post-sale data exposure, the safest assumption is that careful preparation still matters. Back up what you need, sign out everywhere, remove cards, perform the reset, and verify that the device boots to a fresh setup screen with no trace of your accounts. In the absence of hard numbers, following that full checklist is the most practical way for everyday sellers to keep a used phone from becoming the starting point for someone else’s identity theft story.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
