Cybernews
  • News
  • Editorial
  • Security
  • Privacy
    • What is a VPN?
    • What is malware?
    • How safe are password managers?
    • Are VPNs legal?
    • More resources
    • Strong password generator
    • Personal data leak checker
    • Antivirus software
    • Best VPN services
    • Password managers
    • Secure email providers
    • Best website builders
    • Best web hosting services
  • Follow
    • Twitter
    • Facebook
    • YouTube
    • Linkedin
    • Flipboard
    • Newsletter

© 2021 CyberNews - Latest tech news, product reviews, and analyses.

Our readers help us create quality content. If you purchase via links on our site, we may receive affiliate commissions. Learn more

Home » Security » Car maintenance company leaks 12.7k US phone numbers, emails and MD5 unsalted passwords

Car maintenance company leaks 12.7k US phone numbers, emails and MD5 unsalted passwords

by Bernard Meyer
17 September 2020
in Security
0
Xado US leaks thousands of US phone numbers, emails and MD5 unsalted passwords
99
SHARES

The Ukrainian car maintenance company, XADO, has suffered a data breach of its American website, Xado.us, with 12,724 US phone numbers, emails and passwords leaked. The passwords were hashed with MD5, which is considered a weak hash, and unsalted. The database was offered for free on a Russian hacker forum on September 15, 2020.

We notified Xado Chemicals on September 16 of the leak, but have not received a response from them yet.

The Xado.us database leak made available for free on a Russian hacker forum

Who is the company behind the leak?

Xado US is the American arm of the Ukrainian manufacturer of car care products and lubricants, available in more than 80 countries according to its website. The company was founded in 1991 and lists itself as “the biggest player in Russian market of the imported and domestic antifriction materials.” XADO is also heavily involved in Russian and Ukrainian motorsports. 

Xado US is the online shop for the American market, and the database likely contains mostly American customers:

Sample of the Xado.us leaked data

An analysis of the phone numbers listed in the leaked database shows American area codes. The passwords are hashed with MD5, which has long been known as the least secure hashing algorithm to store passwords. It is noted for having collisions and is very easy to bruteforce passwords or use dictionary attacks on them if a database is leaked with MD5.. These passwords are also unsalted, which is considered a poor security practice. 

Salt is an additional piece of random data that is added to a password for hashing, in order to add an extra layer of security to stored passwords.

Who had access to the data?

The data was freely available on a popular Russian hacking forum. Therefore, it’s reasonable to assume that a sizable portion of the forum had access to the data.

What’s the impact of the leak?

While the Xado leak doesn’t contain very sensitive data such as credit card or social security numbers, this type of data is still quite useful for cybercriminals.

Scammers can use email addresses and dehashed passwords for a variety of attacks. This includes not only phishing attacks, but also matching dehashed passwords to other online accounts connected to the same email address or phone number.

Next steps

If you are Xado or have a similar database, you should make sure that in general you:

  • Hash your passwords properly, with something like the National Institute of Standards and Technology (NIST)-recommended SHA-256 or better
  • Salt your passwords
  • Patch your system, including your CMS, since breaches normally happen due to an outdated or unpatched system, weak password, or access control issues 

If you’re a customer of Xado US, there’s a good chance your data has been leaked. To see if you’ve been affected by this breach, we recommend you:

  1. Check our personal data leak checker to see if your email address is included in the leak.
  2. If your email address was leaked, you should change your password immediately. We recommend using a password manager to store your passwords.
  3. Watch out for suspicious emails, as they may be phishing attempts. Avoid clicking on links from suspicious emails.
Share99TweetShareShare
Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

I agree to the Terms & Conditions and Privacy Policy.

Editor's choice

500M LinkedIn user records sold on hacker forum
News

Scraped data of 500 million LinkedIn users being sold online, 2 million records leaked as proof

by CyberNews Team
6 April 2021
5

We updated our leak checker database with more than 780,000 email addresses associated with this leak...

Read more
LinkedIn, FB, Twitter, Clubhouse apps seen on an iPhone

Recent Facebook, LinkedIn and Clubhouse leaks explained

15 April 2021
Cheapest tool to kill satellites? A computer

Cheapest tool to kill satellites? A computer

13 April 2021
A gift to criminals and tyrants? Soon, wireless devices could become object sensors

A gift to criminals and tyrants? Soon, wireless devices could become object sensors

13 April 2021
“Not ideal” from a privacy standpoint: Clubhouse API lets “anyone” scrape public user data

“Not ideal” from a privacy standpoint: Clubhouse API lets “anyone” scrape public user data

12 April 2021
  • Categories
    • News
    • Editorial
    • Security
    • Privacy
  • Reviews
    • Antivirus Software
    • Password Managers
    • Best VPN Services
    • Secure Email Providers
    • Website Builders
    • Best Web Hosting Services
  • Tools
    • Password Generator
    • Personal Data Leak Checker
  • Engage
    • About Us
    • Send Us a Tip
    • Careers
  • Twitter
  • Facebook
  • YouTube
  • Linkedin
  • Flipboard
  • Newsletter
  • About Us
  • Contact
  • Send Us a Tip
  • Privacy Policy
  • Terms & Conditions
  • Vulnerability Disclosure

© 2021 CyberNews - Latest tech news, product reviews, and analyses.

This website uses cookies. By continuing to use this website you are giving consent to cookies being used. Visit our Privacy Policy.
Subscribe For Security Tips And CyberNews Updates
Email address is required. Provided email address is not valid. You have been successfully subscribed to our newsletter!
Our Privacy Policy and Terms & Conditions

Home

News

Editorial

Security

Privacy

Resources

  • About Us
  • Contact
  • Careers
  • Send Us a Tip

© 2020 CyberNews – Latest tech news, product reviews, and analyses.