Car maintenance company leaks 12.7k US phone numbers, emails and MD5 unsalted passwords


The Ukrainian car maintenance company, XADO, has suffered a data breach of its American website, Xado.us, with 12,724 US phone numbers, emails and passwords leaked. The passwords were hashed with MD5, which is considered a weak hash, and unsalted. The database was offered for free on a Russian hacker forum on September 15, 2020.

We notified Xado Chemicals on September 16 of the leak, but have not received a response from them yet.

The Xado.us database leak made available for free on a Russian hacker forum

Who is the company behind the leak?

Xado US is the American arm of the Ukrainian manufacturer of car care products and lubricants, available in more than 80 countries according to its website. The company was founded in 1991 and lists itself as “the biggest player in Russian market of the imported and domestic antifriction materials.” XADO is also heavily involved in Russian and Ukrainian motorsports. 

Xado US is the online shop for the American market, and the database likely contains mostly American customers:

Sample of the Xado.us leaked data

An analysis of the phone numbers listed in the leaked database shows American area codes. The passwords are hashed with MD5, which has long been known as the least secure hashing algorithm to store passwords. It is noted for having collisions and is very easy to bruteforce passwords or use dictionary attacks on them if a database is leaked with MD5.. These passwords are also unsalted, which is considered a poor security practice. 

Salt is an additional piece of random data that is added to a password for hashing, in order to add an extra layer of security to stored passwords.

Who had access to the data?

The data was freely available on a popular Russian hacking forum. Therefore, it’s reasonable to assume that a sizable portion of the forum had access to the data.

What’s the impact of the leak?

While the Xado leak doesn’t contain very sensitive data such as credit card or social security numbers, this type of data is still quite useful for cybercriminals.

Scammers can use email addresses and dehashed passwords for a variety of attacks. This includes not only phishing attacks, but also matching dehashed passwords to other online accounts connected to the same email address or phone number.

Next steps

If you are Xado or have a similar database, you should make sure that in general you:

  • Hash your passwords properly, with something like the National Institute of Standards and Technology (NIST)-recommended SHA-256 or better
  • Salt your passwords
  • Patch your system, including your CMS, since breaches normally happen due to an outdated or unpatched system, weak password, or access control issues 

If you’re a customer of Xado US, there’s a good chance your data has been leaked. To see if you’ve been affected by this breach, we recommend you:

  1. Check our personal data leak checker to see if your email address is included in the leak.
  2. If your email address was leaked, you should change your password immediately. We recommend using a password manager to store your passwords.
  3. Watch out for suspicious emails, as they may be phishing attempts. Avoid clicking on links from suspicious emails.