Most people would assume that doing a “factory reset” on your phone is going to securely erase any information you had on the device.  Turns out, if your phone is an Android, a lot of your personal information—including text messages, pictures, emails and even access to your Facebook account—can be recovered.

Researchers at the University of Cambridge have just published a new study detailing their attempts to recover data from 21 different Android phones made by Samsung, HTC, LG, Motorola and Google.  All of the devices were completely erased using the built-in “factory reset” functions, and every single device still had personal information that failed to be erased.

The biggest threat here is to anybody looking to resell their own phones.  Even if you follow all of the instructions from Google or the device’s manufacturer, there’s actually no way for you to completely erase all of your information from the phone.  You might not be too worried if you’re handing it down to another member of your family, but if you’re selling to a stranger over the internet you could actually be handing them the keys to all of your security.

So what’s the best way to deal with your old Android phone?  According to Per Thorsheim, a expert in cybersecurity based out of Norway, “Don’t hand off your old phone.  Smash it.”  Many of us in the iPhone camp have long advised this approach, but it turns out we actually have a legitimate basis for it now.