Due to a data breach, the account details of 21 million customers of ParkMobile, a prominent mobile parking app in North America, are now being sold online. The data includes customer email addresses, date of birth, phone numbers, license plate numbers, hashed passwords, and mailing addresses.
ParkMobile issued a statement regarding the cybersecurity incident in March, stating that it was caused by a vulnerability in third-party applications employed by them.
The sources state, “In response, we immediately launched an investigation with the assistance of a leading cybersecurity firm to address the incident. Out of an abundance of caution, we have also notified the appropriate law enforcement authorities. The investigation is ongoing, and we are limited in the details we can provide at this time. Our investigation indicates that no sensitive data or Payment Card Information, which we encrypt, was affected. Meanwhile, we have taken additional precautionary steps since learning of the incident, including eliminating the third-party vulnerability, maintaining our security, and continuing to monitor our systems.”
When asked for clarification on what information the attackers gained access to, ParkMobile reported that it included basic account information such as license plate numbers, email addresses and/or phone numbers if given, and vehicle nickname.
ParkMobile does not store user passwords, but rather it stores the output of a fairly robust one-way password hashing algorithm called bcrypt, which is much more resource-intensive and expensive to crack than common alternatives like MD5. The database stolen from ParkMobile and put up for sale includes each user’s bcrypt hash.
According to the source, the company stated, “In keeping with our commitment to transparency, we want to share an update on the cybersecurity incident we announced last month. Our investigation concluded that encrypted passwords, but not the encryption keys needed to read them, were accessed.”
“While we protect user passwords by encrypting them with advanced hashing and salting technologies, as an added precaution, users may consider changing their passwords in the “Settings” section of the ParkMobile app or by clicking this link. Our investigation has confirmed that basic user information – license plate numbers and, if provided by the user, email addresses and/or phone numbers, and vehicle nicknames – was accessed.”
“In a small percentage of cases, mailing addresses were affected. No credit cards or parking transaction history was accessed, and we do not collect Social Security numbers, driver’s license numbers, or dates of birth. Please rest assured we take seriously our responsibility to safeguard the security of our users’ information and appreciate your continued trust,” the company further added.
In these cases, changing the account password and other credentials may be the best course of action, as good credential hygiene may be the key to keeping the data secure.
If you like the site, please consider joining the telegram channel or supporting us on Patreon using the button below.