For those who don’t know, a lot of my hobbies revolve around networking equipment and related infrastructure. Every once in a while I buy used hardware from companies that specialize in IT asset liquidation.

From these purchases, I keep receiving gear formerly owned by large organizations, either entirely un-wiped or so sloppily wiped that all it takes to uncover sensitive information is running “ls” or “dir”. Nearly every piece of equipment I’ve purchased in recent memory has been either entirely un-wiped or improperly wiped, and still contained sensitive information that required reporting to someone’s information security department (and wow, is it hard to find contacts for some companies’ infosec departments! y’all gotta start publishing security.txt files!)

Many of these could have been prevented by running a disk wiping utility, or following manufacturer guidelines for securely erasing equipment before liquidation.

Most manufacturers of network equipment offer tools to do a full zeroize (often compliant with NIST Clear).

• On modern Cisco IOS devices, this can be done with “factory-reset all secure”. Many Cisco devices prior to IOS XE 17 do not include a zeroization function, and should be liquidated with care.
• On Aruba devices, this can be done with “wipe out flash” or “erase all zeroize”, depending on the platform.
• On Juniper devices, this can be done with “request system zeroize”.

There are numerous tools available to wipe commodity computers and servers.

• For x86 PCs, nwipe is available for free for most Linux distributions.
• For machines running Linux, “shred” is available for most distributions, and is often included by default.

There are also commercially available options that provide things like Certificate of Destruction files for compliance, but I will not personally endorse any of these commercial products.

The volume at which I’ve managed to inadvertently buy equipment containing sensitive information from organizations that should know better makes me extremely worried about what people who may have ill intentions could be getting their hands on entirely undetected.

Documented below are a few notable incidents.

Incidents

Oregon State University

From 2016 to 2020, I purchased several pallets of servers and other equipment from Oregon State University’s Surplus Property department, many of which were un-wiped and still contained drives and sensitive data.

The Dell R200

In 2019, I purchased a pallet of servers which contained a Dell PowerEdge R200.

Initially, the drives from this system made their way to my “spare hard drives for a rainy day” pile with no further analysis.

A few months later, I needed to transfer a few hundred gigabytes of wedding videos to someone, and selected the drive from the drive collection. Upon connecting it, I realized it had a Windows installation and looked around on it, not realizing it wasn’t one of mine.

I found a folder on the primary partition that contained receipts for over 100,000 transactions from 2005-2014, including names, student ID numbers, emails, phone numbers, addresses, and transaction summaries from OSU’s Dixon Recreation Center for room bookings, class registrations, and equipment rentals.

After much digging, I managed to get in touch with someone in the Office of Information Security who arranged to retrieve the drives. It is not clear that OSU made any communication to those whose data was impacted.

I also attempted to contact the Department of Education to report this as a FERPA incident, but they were uninterested in taking a report because my data was not among the breach.

The Cisco Switches

Another lot consisted of four Cisco Catalyst 4500-X switches and twenty-four Cisco ME-3600X switches. They were entirely un-wiped, and booted with configurations. These all contained plain-text and reversible “type 7” credentials, all of which were reused within this lot and that I recognized from other lots of equipment purchased at other times.

I wiped all of these switches and informed the OSU’s Office of Information Security.

A Large International Accounting and Consulting Company

In March 2025, we purchased a Cisco 3850 on eBay from an e-waste liquidation company on eBay. It contained a full configuration in a startup-config.bak, indicating its origin as being from an office of a large international accounting and consulting company.

It contained plaintext and other forms of insecure credentials for SNMP, TACACS, and break-glass local accounts.

I wiped all of these and reported the incident to an IT security contact, who acknowledged the incident.

Google

In August 2025, I purchased three Aruba 7240XMs from an e-waste liquidation company on eBay.

Two of these contained complete configurations, both in the form of configuration backup files left on the device and as “show tech-support” diagnostic dumps saved to the flash memory.

These devices contained:

• “enable” secret hashes
• SNMP communities
• administrative credential hashes
• pre-shared IKE keys
• RADIUS keys
• TACACS keys
• AP debug shell password hashes
• WPA2 raw passphrases for multiple SSIDs

This incident was reported to Google’s VRP on August 25th, 2025 with a publication date of November 1st. An update to the report on August 27th noted that they had rotated the credentials, and the incident was subsequently closed.

A Local Seattle-Area Credit Union

In September 2025, I purchased an Aruba 7010 wireless controller from an e-waste liquidation company. It had been un-wiped, and indicated that it was from a local Seattle-area credit union. It contained many of the same credential types as the Google 7280s, including, most notably, WPA2 raw passphrases.

The credit union does not have a published path to report security incidents. I was unsuccessful in making contact with security through their call center, but eventually managed to reach their AVP of Enterprise Risk Management, who responded that they have “several layers of controls and credential cycling in place to mitigate risk.”