Breach on ‘ParkMobile’ Results in Exposure of 21 Million Users

• Parking platform ‘ParkMobile’ had suffered a security incident about three weeks ago.
• The platform played down the significance of the event and didn’t even bother to notify the users.
• The attackers got to exfiltrate email addresses, phone numbers, license plate numbers, and bcrypted passwords.

ParkMobile is a platform offering a free app that helps users find open parking spaces across the United States and pay right from their smartphone to save the time needed to fiddle with the meter. It’s just a convenience that people, especially in Atlanta and Washington D.C., love and use - and as always, with convenience come security and privacy risks.

On March 26, 2021, the platform admitted suffering a cybersecurity incident linked to a vulnerability in a third-party software that they use. Reportedly, the platform was able to identify the risk in time and stop the actors before they caused extensive damage. Also, the relevant notice clarified that according to the preliminary findings of their internal investigation, no sensitive data or Payment Card information was accessed by the actors.

Unfortunately, though, Gemini Advisory soon discovered a data pack that appears to be the product of that breach, which was offered for purchase on Russian-speaking cybercrime forums. The data included in the listing concern email addresses, phone numbers, license plate numbers for all registered vehicles of a user, and bcrypted passwords. What hasn’t been accessed (as ParkMobile doesn’t store it) is the parking history, location history, social security numbers, driver’s license numbers, and plaintext passwords.

The platform has informed the authorities about the incident, but users remain in the dark to this day. The affected people haven’t even been prompted to reset their passwords, as they should have done from the moment the breach was discovered. Bcrypt hashes are hard to break, but they shouldn’t be treated as the ultimate security machine. Also, the people who were exposed by this incident are targets for phishing, scamming, and social engineering actors, so this is not only about account security.

The dark web seller has set a price tag of $125,000, which is pretty high, so ParkMobile users might have some time before their details are massively leaked. In the meantime, if you are among them, reset your password on ParkMobile and any other platform you may be using the same credentials, and remain vigilant against all incoming unsolicited communications.