ParkMobile Breach Leaves 21M User Data Exposed
License Plate Data and Mobile Numbers of 21M Users Are Being Sold after Parkmobile Experienced a Data Breach.
The account information of 21 million customers of ParkMobile, a very popular mobile parking app from North America, is now being sold online due to a data breach. The information includes customer email addresses, dates of birth, phone numbers, license plate numbers, hashed passwords, and mailing addresses.
In March, ParkMobile published a statement about this cybersecurity incident and said that it was linked to a vulnerability in third-party software that they are using.
In response, we immediately launched an investigation with the assistance of a leading cybersecurity firm to address the incident. Out of an abundance of caution, we have also notified the appropriate law enforcement authorities. The investigation is ongoing, and we are limited in the details we can provide at this time.
Our investigation indicates that no sensitive data or Payment Card Information, which we encrypt, was affected. Meanwhile, we have taken additional precautionary steps since learning of the incident, including eliminating the third-party vulnerability, maintaining our security, and continuing to monitor our systems.
Asked for clarification on what the attackers did access, ParkMobile confirmed it included basic account information – license plate numbers, and if provided, email addresses and/or phone numbers, and vehicle nickname.
ParkMobile doesn’t store user passwords, but rather it stores the output of a fairly robust one-way password hashing algorithm called bcrypt, which is far more resource-intensive and expensive to crack than common alternatives like MD5. The database stolen from ParkMobile and put up for sale includes each user’s bcrypt hash.
“Note, we do not keep the salt values in our system,” spokesman Jeff Perkins said. “Additionally, the compromised data does not include parking history, location history, or any other sensitive information. We do not collect social security numbers or driver’s license numbers from our users.”
ParkMobile released an updated statement on its website, in which it states that basic user information – license plate numbers and, if provided by the user, email addresses and/or phone numbers, and vehicle nicknames – was accessed.
In keeping with our commitment to transparency, we want to share an update on the cybersecurity incident we announced last month.
Our investigation concluded that encrypted passwords, but not the encryption keys needed to read them, were accessed. While we protect user passwords by encrypting them with advanced hashing and salting technologies, as an added precaution, users may consider changing their passwords in the “Settings” section of the ParkMobile app or by clicking this link.
Our investigation has confirmed that basic user information – license plate numbers and, if provided by the user, email addresses and/or phone numbers, and vehicle nicknames – was accessed. In a small percentage of cases, mailing addresses were affected. No credit cards or parking transaction history were accessed, and we do not collect Social Security numbers, driver’s license numbers, or dates of birth.
Please rest assured we take seriously our responsibility to safeguard the security of our users’ information and appreciate your continued trust.
In situations like these changing your account password and other credentials might be the best move, as good credential hygiene might be what keeps your data safe.