Car maintenance company leaks 12.7k US phone numbers, emails and MD5 unsalted passwords


Level 2
May 4, 2020
The Ukrainian car maintenance company, XADO, has suffered a data breach of its American website,, with 12,724 US phone numbers, emails and passwords leaked. The passwords were hashed with MD5, which is considered a weak hash, and unsalted. The database was offered for free on a Russian hacker forum on September 15, 2020.

An analysis of the phone numbers listed in the leaked database shows American area codes. The passwords are hashed with MD5, which has long been known as the least secure hashing algorithm to store passwords. It is noted for having collisions and is very easy to bruteforce passwords or use dictionary attacks on them if a database is leaked with MD5.. These passwords are also unsalted, which is considered a poor security practice.