Researchers at Cambridge University have written a paper showing how flawed factory reset is in wiping personal data from Android handsets using versions 2.3-4.3. (They didn't use any handsets later than 4.3). To make things worse, if you fully encrypted all the data, you may have in fact exposed yourself even more as the key to decrypt the data isn't deleted properly by the reset.
Researchers were able to recover SMS, emails, contacts, photos, videos, Facebook, Whatsapp, and even your personal Google token, which gives access to all your Google information. The flaw seems to be in the way flash drives in mobile handsets are designed to have a certain element of failure and errors. This does mean that other mobile devices may also be prone to such security, although it's unknown at present.
The best solution is to encrypt your phone when you first get it, and use an impossibly long password with letters, numbers and symbols to unlock your phone each time you use it. Most hackers will just give up as it could take years!
The researchers did make some recommendations to manufacturers, so lets hope they take up the advice.