This notice concerns a confirmed data breach affecting the XVO platform. If you had an XVO account, your personal information may have been exposed. Please read this page in full and follow the steps outlined below.
Incident Report · INC-2026-0312-XVO
The March 12 Incident: XVO Database Breach
On March 12, 2026, SYNVO Technologies confirmed an unauthorised access event affecting the XVO platform database. A threat actor exfiltrated sensitive user records including email addresses, dates of birth, gender, IP addresses, hashed passwords, and usernames. This page serves as the official public disclosure.
Date of Breach12 Mar 2026
Discovered14 Mar 2026
Records Affected48,291
SeverityCritical
StatusContained
PlatformXVO (Shutdown)
Scope & Impact
48,291
User Records
31,804
Emails Leaked
48,291
Usernames
17
Countries Affected
The breach affected all active and deactivated XVO accounts created between XVO's launch date and the platform shutdown on March 21, 2026. The attacker gained access to a legacy database replica that had not been properly secured following a backend migration in January 2026.
The following categories of data were confirmed to have been exfiltrated:
Confirmed Exfiltrated Data Fields
Email addresses — plaintext, associated with account registration
Usernames — display names and internal @handles
Dates of birth — entered during account creation
Gender — self-reported during profile setup
IP addresses — last login IPs and registration IPs (up to 5 per user)
Password hashes — bcrypt-hashed; plaintext not stored, however weak passwords may be recoverable via brute force
Account creation timestamps
Device fingerprints — browser/OS info logged at session time
Not Confirmed Leaked
Payment information — XVO did not store payment data directly
Private messages — stored in a separate, isolated database
Government-issued ID documents
Phone numbers — not collected by XVO
Incident Timeline
Jan 18, 2026 · 03:42 UTC
Backend migration creates unprotected replica
During a scheduled database migration, an engineer inadvertently left a replica instance publicly accessible without authentication. The replica contained a full snapshot of the XVO user database as of January 18.
Mar 12, 2026 · 01:17 UTC
First unauthorised access detected (retroactively)
Access logs later confirmed that an external IP (185.220.101.47, attributed to a Tor exit node) began scanning the exposed replica at 01:17 UTC. Over the next 4 hours, approximately 48,291 records were extracted via automated tooling.
Mar 12, 2026 · 05:53 UTC
Full database dump completed by attacker
Exfiltration completed. The attacker disconnected. No destructive action was taken on the replica — data was not deleted or modified.
Mar 14, 2026 · 11:05 UTC
Anomalous traffic flagged by monitoring system
SYNVO's automated anomaly detection flagged unusual outbound data volume from the legacy replica. An on-call engineer began investigating.
Mar 14, 2026 · 14:30 UTC
Replica instance taken offline
The exposed replica was immediately taken offline. Access to all XVO-related infrastructure was revoked and credentials rotated across all services.
Mar 15, 2026 · 09:00 UTC
Forensic investigation opened
A third-party cybersecurity firm was engaged to conduct a full forensic review of the incident. Scope, method of access, and data exfiltrated were confirmed within 48 hours.
Mar 17, 2026 · 16:44 UTC
Stolen data observed on darknet forum
A sample of the exfiltrated data (approximately 500 records) was posted on a darknet breach forum as proof of access. The post has since been reported for takedown. The full dataset has not been confirmed publicly listed for sale.
Mar 21, 2026
XVO platform permanently shut down
In light of the breach and ongoing security concerns, SYNVO Technologies made the decision to permanently shut down the XVO platform. All remaining XVO services ceased operation at 23:59 UTC.
Mar 31, 2026 · Today
Public disclosure published
This incident report is published in compliance with applicable data protection regulations. Affected users are being notified directly where contact information is available.
Sample of Exposed Records
The following is a partial sample of the leaked dataset, with sensitive fields partially redacted. This is published for transparency so affected users can verify if their information was included. Passwords are shown as hashes only.
Leaked Record Sample — 20 of 48,291Passwords Redacted
All passwords stored in the XVO database used bcrypt with a cost factor of 12. While plaintext passwords are not exposed, users who had weak or commonly used passwords should assume their password is recoverable and change it on any other service where they reused it.
Geographic Distribution of Affected Accounts
Based on registration IP data and self-reported location, the following countries had the highest concentration of affected accounts:
🇷🇴 Romania38.4%
🇬🇧 United Kingdom11.2%
🇺🇸 United States9.7%
🇩🇪 Germany6.1%
🇫🇷 France4.8%
🇮🇹 Italy3.9%
🇳🇱 Netherlands3.4%
🇪🇸 Spain2.8%
🇵🇱 Poland2.2%
🇨🇦 Canada1.9%
🇸🇪 Sweden1.6%
🌐 Other14.0%
Technical Root Cause
The root cause of this incident was a misconfigured database replica left exposed to the public internet without authentication controls during a backend infrastructure migration.
In January 2026, SYNVO's infrastructure team migrated the XVO production database to a new cloud region. During this process, a legacy replica was provisioned as a temporary read target. The team failed to apply network-level access restrictions (security group rules) and did not enable database-level authentication on the replica instance.
The replica remained exposed for 53 days before the breach was discovered. The attacker used a publicly known database scanning tool to locate open instances and extracted the full user table within a single session.
Contributing factors identified by forensic investigators include:
No automated misconfiguration detection or alerting was in place for the legacy replica
The migration checklist did not include a post-migration security validation step
Access logs for the replica were not integrated into the central SIEM, delaying detection
Sensitive fields (DOB, gender) were stored in plaintext rather than encrypted at rest
What We've Done
Immediately took the exposed replica offline upon discovery
Rotated all infrastructure credentials and API keys across SYNVO systems
Engaged an independent forensic security firm to investigate and confirm scope
Reported the incident to the relevant data protection authorities
Permanently shut down the XVO platform on March 21, 2026
Submitted takedown requests for the darknet posts containing sample data
Issued direct email notifications to all affected users where contact info was available
Implemented mandatory encryption at rest for all PII across remaining SYNVO infrastructure
What You Should Do Immediately
If you had an XVO account, take these steps now
Change your password on every site where you used the same password as your XVO account — especially email, banking, and social media.
Enable two-factor authentication on your email account and any other critical services.
Watch for phishing emails — attackers may use your leaked email address to send convincing impersonation emails. Be suspicious of any unexpected messages asking you to click a link or enter credentials.
Monitor your accounts for suspicious activity, particularly any accounts linked to the email address you used for XVO.
Check HaveIBeenPwned at haveibeenpwned.com to see if your email appears in other known breaches.
Be aware of social engineering — your date of birth and gender being public may make targeted attacks more convincing.
Regarding leaked IP addresses
IP addresses from your XVO login history may have been exposed. While an IP address alone does not give an attacker access to your devices or accounts, it could be used to narrow down your approximate location or correlated with other data. If you use a static home IP address, consider this when evaluating your risk.
Frequently Asked Questions
Was my XVO account affected?
▼
All XVO accounts that existed at any point between the platform launch and March 21, 2026 are considered potentially affected. We are sending individual notifications to users where we have valid contact information. If you had an XVO account and have not received an email, treat your data as potentially compromised.
Were plaintext passwords exposed?
▼
No plaintext passwords were stored or exposed. XVO stored passwords as bcrypt hashes with a cost factor of 12. However, bcrypt hashes can be cracked offline for weak or commonly used passwords. We strongly recommend changing your password on any service where you reused your XVO password.
Is the stolen data currently available for sale?
▼
A sample of approximately 500 records was posted on a darknet forum as proof. We have submitted takedown requests and are monitoring the situation. The full dataset has not been confirmed as publicly listed for sale, however we cannot guarantee it will not be listed in the future.
Can I request my data be deleted?
▼
Since XVO has been permanently shut down, all XVO data held by SYNVO Technologies has been securely deleted from our active systems. Unfortunately we cannot delete data that has already been exfiltrated by the attacker. You may contact us at privacy@synvo.tech for a data deletion confirmation certificate.
Will SYNVO face legal consequences?
▼
SYNVO Technologies has proactively reported this incident to the applicable data protection supervisory authorities. We are cooperating fully with their investigation. As the XVO platform is now defunct and no financial data was exposed, we are working with legal counsel to determine applicable obligations and remedies for affected users.
Why did it take so long to discover the breach?
▼
The exposed replica was not connected to SYNVO's central monitoring and alerting systems. The anomaly was ultimately detected through routine outbound traffic analysis rather than targeted security monitoring. This is a significant process failure we take full responsibility for. We have since implemented mandatory monitoring coverage across all infrastructure, including legacy and temporary instances.
Who was responsible for the attack?
▼
The access originated from a Tor exit node (185.220.101.47), making attribution difficult. Forensic analysis of the tooling used suggests an automated scanning operation rather than a targeted attack. The identity of the threat actor is unknown. We have shared all available evidence with law enforcement.
Are other SYNVO products affected?
▼
No. The breach was isolated to the XVO legacy database replica. Other SYNVO services — including Project Pixels and Project VIT — operate on entirely separate infrastructure with no shared data stores. Forensic investigation confirmed no access to non-XVO systems.
Legal & Regulatory
SYNVO Technologies has notified the relevant supervisory authorities in accordance with applicable data protection legislation, including GDPR Article 33, within the required 72-hour window from the point of confirmed discovery.
This public disclosure is published in compliance with breach notification obligations and in the interest of full transparency with affected users. SYNVO Technologies accepts responsibility for the misconfiguration that led to this incident and is committed to full cooperation with any regulatory investigation.
None of this is real.
XVO was shut down, but there was no data breach. No emails, passwords, IPs or birthdates were ever leaked. This whole page was a prank — crafted just for April 1st.