Microsoft Recall still collect credit card data and passwords (July 2025)

Posted on 2025-08-06 by guenni

Windows[German]Is it a surprise? No, it's not a surprise, but rather to be expected. The Recall spyware feature that Microsoft is pushing onto Windows systems continues to collect sensitive information such as credit card details and passwords. And this despite Microsoft's claims that this is not the case.

Recall, Microsoft's nightmare come true

Recall allows Windows to continuously take screenshots of the user's screen and use a generative AI model to process the data and make it searchable. Microsoft's promise was that users would only have to type in a keyword to find out what they had done or where the documents with that keyword could be found on their computer.

Recall introduces a "bug" into Windows that precisely records everything the user does and then makes it searchable. The computer that was once launched as a "personal PC" no longer has anything personal about it—everyone becomes transparent—a nightmare for privacy oriented users.

Security researchers tore the concept apart when it was unveiled in June 2024, forcing Microsoft to withdraw Recall and fundamentally rework it. I covered that in my article Copilot+AI: Recall, a security disaster – AI-assisted theft. At the beginning of September 2024, Recall was then reintroduced via an update in Windows 11 24H2 (see Windows 11 24H2: Update KB5041865 ships Recall).

Microsoft had made extensive changes to secure the feature and explained this in a blog post (see Microsoft explains Windows 11 Recall in a revised version). Recall is activated as an opt-in during setup, and users should also be able to completely remove Recall by using the settings for optional features in Windows.

Microsoft promised that snapshots would only be taken or stored locally if the user wanted them to be. Recall would not share snapshots or related data with Microsoft or third parties, nor would they be exchanged between different Windows users on the same device. The user would always be in control. David Weston, Vice President of Enterprise and OS Security at Microsoft, explained the corrections to the new version of Recall in the article Update on Recall security and privacy architecture on September 27, 2024.

In April 2025, Recall began to be rolled out gradually on Copilot+ PCs running Windows 11 24H2 (see Microsoft rolls out recall for Windows 11 24H2 on Copilot+ PCs).

Recall continues to store sensitive information

One of the major concerns many people had was that Recall would capture and then store sensitive information such as password entries or credit card and payment data. Back in December 2024, I mentioned in the article Windows: Microsoft's "improved" Recall continues to record sensitive information that the revised Recall continues to record sensitive data.

Failed test in December 2024

The filter functions that were supposed to prevent this did not work reliably, as the website Tom's Hardware discovered in a test. When the tester entered a credit card number and a random username/password into a Windows Notepad window, Recall captured this data. This happened even though he had entered text such as "Capital One Visa" directly next to the numbers. A fake website with corresponding input fields for credit card data was also captured by Recall. Fortunately, this was all still a preview of Recall, tested in a Windows Insider version.

When asked, Microsoft stated that Recall had been updated to recognize sensitive information such as credit card details, passwords, and personal identification numbers. If such information was recognized, Recall did not save these snapshots. However, there was an admission that this recognition did not really work – users should report cases where sensitive information was captured to Microsoft via the Feedback Hub.

Fail in the July 2025 test

Now we are more than half a year further down the line, but the situation appears to be unchanged. The Register tested Recall again on a CoPilot+PC and published its findings on August 1, 2025, in an article titled Tested: Microsoft Recall can still capture credit cards and passwords, a treasure trove for crooks.

The short version is: Microsoft Recall does have a filter that is supposed to prevent sensitive information such as credit card numbers from being recorded in screenshots. However, a test by The Register showed that this filter still failed in many cases at the end of July 2025.

The filter is "good, but not good enough." The tester noticed that after logging into the bank account, Recall diligently took screenshots of the account balances, etc. Only the login details for the bank account were not captured. On a Microsoft page for entering credit card details, Recall left the input fields blank in the screenshots (i.e., they are filtered).

However, a fake website on which text such as "Checkout page" and "Enter payment information" had been removed prompted Recall to record all sensitive information such as credit card details, etc.

For the PayPal account, Recall captured the login screen with the user name, but filtered out the password and the content of the account pages with the transactions. A photo of the tester's passport was correctly ignored by Recall on the screen. When the photo was partially covered by a window, the visible parts ended up in Recall. One could put it this way: it is a matter of luck whether sensitive data is filtered out of Recall's recordings.

Recall is therefore a potential treasure trove for thieves, writes The Register. Microsoft notes that the stored data is encrypted and can only be viewed by the user with Windows Hello. But as the saying goes, "the devil is in the details." If something has been stored, it is not unlikely that it will eventually come to light unintentionally.

Is this still needed, or can it be discarded?

So if I can't be sure that Recall reliably filters sensitive content, maybe I shouldn't use it. If I don't use it, Recall is actually superfluous – and then we're back to square one. CoPilot+PC is promoted as a way to reap the benefits of the latest Microsoft offerings. If it doesn't work, I don't need CoPilot+PC either.

You can do without CoPilot+PC devices and hope that Recall does not affect normal PCs. Users can then, of course, choose not to activate Recall.

If you want to ensure that family members do not activate Recall on private PCs, you can use the O&O ShutUp10 tool, which offers to deactivate Recall and Copilot. This also works with Windows 10 Home or Pro. In companies, administrators should then deactivate Recall via group policies. It's always nice to see how Microsoft keeps people busy with unwanted features and their deactivation – or have I misunderstood something?

Similar articles:
Copilot+AI: Recall, a security disaster – AI-assisted theft
Microsoft improves AI feature Recall and adds "security measures" – is that enough?
Windows 11 Copilot+PC will be released without recall
Windows 11 24H2: Update KB5041865 ships Recall
Microsoft explains Windows 11 Recall in a revised version
Microsoft's AI PC with Copilot – some thoughts – Part 1
Windows 11 24H2: Recall can't be uninstalled; and "poor mans recall" found
Windows 11: Recall is delayed …
Recall is back for Windows Insiders on Copilot+PCs
Windows 10/11: Copilot as a native app for Windows Insiders
Windows: Microsoft's "improved" Recall continues to record sensitive information
Microsoft rolls out recall for Windows 11 24H2 on Copilot+ PCs

This entry was posted in Security, Windows and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).