Microsoft’s controversial Recall feature for Windows 11 is once again under scrutiny after independent testing revealed it can still capture sensitive user data, including credit card numbers and passwords, despite a series of promised privacy safeguards. Originally delayed after public backlash, Recall was intended to help users revisit their digital activity by taking regular screenshots of their desktops. However, the potential for it to record confidential information has left cybersecurity experts uneasy—and with good reason.
A new investigation by The Register shows that, while Microsoft has implemented mechanisms to filter out sensitive information like passwords and financial data, those safeguards aren’t foolproof. In their tests, Recall was still able to capture credit card details and visible account balances. While the system did avoid logging login credentials for banking websites, it still recorded enough contextual information—like the name of the bank and available balance—that could be useful to attackers.
Further tests found that Recall could bypass its own protections by capturing images of files containing passwords and taking screenshots of login screens that included usernames but not passwords. In other words, the filters work in some cases but fail in others, raising serious concerns about their reliability. This partial filtering creates a situation where users may believe they are protected when, in fact, they remain vulnerable under specific conditions.
Microsoft claims the data is stored in encrypted form on the device, which should limit unauthorized access. But even with encryption, the risk of exposure increases if the device is compromised. For users concerned about privacy, the safest path remains disabling Recall altogether until Microsoft can ensure the feature reliably filters sensitive information—every time.
