Tax returns, contracts and bank statements were among the “deleted” files recovered by Abertay University investigators from used USB drives.
Cybersecurity researchers discovered about 75,000 files after buying 100 of the drives on an internet auction site.
Some USB drives contained files named “passwords” and images with embedded location data.
All but two of the drives appeared empty, but the team said it had been “worryingly easy” to retrieve data.
The researchers used “publicly-available tools” to retrieve the sensitive information.
They said only 32 of the drives had been properly wiped.
Partial files were extracted from 26 devices and every single file was extracted from the remaining 42 USB drives.
Many of the files extracted were determined to be of “high sensitivity.”
Prof Karen Renaud, from Abertay’s division of cybersecurity, said the discovery was “extremely concerning.”
She said: “An unscrupulous buyer could feasibly use recovered files to access sellers’ accounts if the passwords are still valid, or even try the passwords on the person’s other accounts given that password re-use is so widespread.”
Prof Renaud said that some sellers would be unaware that they had left data on the drive, believing they had permanently deleted the information.
She said: “Software is freely available that can permanently wipe USB drives, so if you are going to sell a device we would strongly recommend using that.”
The research was led by student James Conacher for his Masters project.