Parking app hacked, license plates and mobile numbers of 21 millions user leaked

A security report notes that an unidentified threat actor is selling the confidential information of about 21 million users of ParkMobile, a very popular parking app in the northern United States. Compromised information includes email addresses, board numbers, hashed passwords, and phone numbers.

KrebsOnSecurity experts detected this leak in collaboration with security firm Gemini Advisory. Researchers reported the detection of a new sales thread on a Russian-speaking cybercriminal forum claiming that the leak came from ParkMobile systems.

In this regard, the Atlanta-based company mentioned that the cybersecurity incident is related to the commitment of third-party software: “We have initiated an investigation in collaboration with external cybersecurity specialists. As a precaution, we also notify the relevant authorities of the incident.”

It should be noted that ParkMobile does not store users’ passwords, but stores the result of a hashing algorithm called bcrypt, which requires many more resources and whose decryption is much more complex than that of other solutions like MD5. ParkMobile’s compromised information includes the bcrypt hash of each user of this service.

The company’s experts claim that they are already working on an update to this website, although they did not specify whether all of their users are already aware of the leak, since when analyzing the list of company press releases none mention the incident to the general public. On the other hand, ParkMobile representatives have also not asked their users to change their passwords as an additional security measure, demonstrating the disrecognise of many users regarding this incident.

Fortunately it’s not all bad news, as experts report that the seller of this information is requesting about $125,000, a ridiculously high price for such a database, so the information is unlikely to be sold in the near future.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.