This has long been known as a risk, but the intriguing note in this report is that a 'factory reset' is insufficient to clear your private data on some Android phones. Wikipedia actually gets this wrong and claims "A factory reset should be performed with caution, as it destroys all data stored in the unit ". However it also gets closer to the truth with "it is essentially the same concept as reformatting a hard drive". This does not remove the data from a hard drive, just 'hides' it from the operating system so that it can be over-written in due course. A factory reset on a smartphone will leave data on SD cards untouched.
With so many smartphones being recycled they are obviously highly vulnerable to the retrieval of passwords, personal data, banking credentials etc.
I remember writing some years ago that as mobile phones became more sophisticated we were in danger of repeating the same security mistakes as the PC era. This is just another example of that.