Someone is selling account information for 21 million customers of ParkMobile, a mobile parking app that’s popular in North America. The stolen data includes customer email addresses, dates of birth, phone numbers, license plate numbers, hashed passwords and mailing addresses.
KrebsOnSecurity first heard about the breach from Gemini Advisory, a New York City based threat intelligence firm that keeps a close eye on the cybercrime forums. Gemini shared a new sales thread on a Russian-language crime forum that included my ParkMobile account information in the accompanying screenshot of the stolen data.
Included in the data were my email address and phone number, as well as license plate numbers for four different vehicles we have used over the past decade.
Asked about the sales thread, Atlanta-based ParkMobile said the company published a notification on Mar. 26 about “a cybersecurity incident linked to a vulnerability in a third-party software that we use.”
“In response, we immediately launched an investigation with the assistance of a leading cybersecurity firm to address the incident,” the notice reads. “Out of an abundance of caution, we have also notified the appropriate law enforcement authorities. The investigation is ongoing, and we are limited in the details we can provide at this time.”
The statement continues: “Our investigation indicates that no sensitive data or Payment Card Information, which we encrypt, was affected. Meanwhile, we have taken additional precautionary steps since learning of the incident, including eliminating the third-party vulnerability, maintaining our security, and continuing to monitor our systems.”
Asked for clarification on what the attackers did access, ParkMobile confirmed it included basic account information – license plate numbers, and if provided, email addresses and/or phone numbers, and vehicle nickname.
“In a small percentage of cases, there may be mailing addresses,” spokesman Jeff Perkins said.
ParkMobile doesn’t store user passwords, but rather it stores the output of a fairly robust one-way password hashing algorithm called bcrypt, which is far more resource-intensive and expensive to crack than common alternatives like MD5. The database stolen from ParkMobile and put up for sale includes each user’s bcrypt hash.
“You are correct that bcrypt hashed and salted passwords were obtained,” Perkins said when asked about the screenshot in the database sales thread.
“Note, we do not keep the salt values in our system,” he said. “Additionally, the compromised data does not include parking history, location history, or any other sensitive information. We do not collect social security numbers or driver’s license numbers from our users.”
ParkMobile says it is finalizing an update to its support site confirming the conclusion of its investigation. But I wonder how many of its users were even aware of this security incident. The Mar. 26 security notice does not appear to be linked to other portions of the ParkMobile site, and it is absent from the company’s list of recent press releases.
It’s also curious that ParkMobile hasn’t asked or forced its users to change their passwords as a precautionary measure. I used the ParkMobile app to reset my password, but there was no messaging in the app that suggested this was a timely thing to do.
So if you’re a ParkMobile user, changing your account password might be a pro move. If it’s any consolation, whoever is selling this data is doing so for an insanely high starting price ($125,000) that is unlikely to be paid by any cybercriminal to a new user with no reputation on the forum.
More importantly, if you used your ParkMobile password at any other site tied to the same email address, it’s time to change those credentials as well (and stop re-using passwords).
The breach comes at a tricky time for ParkMobile. On March 9, the European parking group EasyPark announced its plans to acquire the company, which operates in more than 450 cities in North America.