But more often than not, the presence of easily recoverable data wasn’t the phone’s fault—it was the owner’s. Twelve of the 20 phones examined were not, in fact, factory reset.

On some, owners tried to delete their files manually. In those cases, researchers were often able to dig up the deleted files with free data-recovery tools available online. Other owners hadn’t even tried to delete files or perform a factory reset before selling their devices—and two phones were even still signed into old Gmail accounts.

It may not come as a surprise that the pawn-shop owners made less-than-accurate claims about the smartphones they were reselling. In fact, it could be that the smartphone owners that didn’t reset their phones to factory settings were not planning to sell their phones: Pawn shops often end up with lost and stolen electronics.

In the end, the researchers compiled a massive trove of recovered information. They found more than 1,200 photos, including nearly 150 of children; 300 emails and texts; three invoices; and one contract.

And, in keeping with CSI lore, some of the recovered data was potential blackmail material. Researchers found 170 Google searches for porn, 200 explicit photos, and one adult video.

Advanced recovery methods can find even more: A pair of researchers at Cambridge University were able to extract passwords and encryption keys from buggy Android phones that had been factory reset.

As new smartphones ship with stronger and stronger encryption, used phones are becoming less likely to cough up previous owners’ information. The difference is stark: When Avast’s researchers ran a similar experiment last year, they found 40,000 emails, texts, and photos. That’s a 95 percent decrease in just one year.

Current iPhones, for example, are outfitted with full-disk encryption, which renders data indecipherable without a passcode. This technology, which has locked the FBI out of many phones it wants to access, has also led to a drop in smartphone thefts.

But the newest, shiniest smartphones are out of reach for many in the U.S. and abroad. If a CEO leaves an iPhone 6S in a taxi and it’s stolen, an assistant can lock it remotely and expense a new one the next day. But for those who can’t afford a $650 phone, cutting-edge encryption is not the default. And that means that someone selling their entry-level smartphone at a pawnshop—perhaps for some cash between paychecks—can be putting themselves at risk of potentially disastrous credit fraud or identity theft.

Related Video