[BreachExchange] Breach on ‘ParkMobile’ Results in Exposure of 21 Million Users

Tue Apr 13 10:15:03 EDT 2021

https://www.technadu.com/breach-parkmobile-results-exposure-21-million-users/264467/

Parking platform ‘ParkMobile’ had suffered a security incident about
three weeks ago.
The platform played down the significance of the event and didn’t even
bother to notify the users.

The attackers got to exfiltrate email addresses, phone numbers,
license plate numbers, and bcrypted passwords.

ParkMobile is a platform offering a free app that helps users find
open parking spaces across the United States and pay right from their
smartphone to save the time needed to fiddle with the meter. It’s just
a convenience that people, especially in Atlanta and Washington D.C.,
love and use – and as always, with convenience come security and
privacy risks.

On March 26, 2021, the platform admitted suffering a cybersecurity
incident linked to a vulnerability in a third-party software that they
use. Reportedly, the platform was able to identify the risk in time
and stop the actors before they caused extensive damage. Also, the
relevant notice clarified that according to the preliminary findings
of their internal investigation, no sensitive data or Payment Card
information was accessed by the actors.

Unfortunately, though, Gemini Advisory soon discovered a data pack
that appears to be the product of that breach, which was offered for
purchase on Russian-speaking cybercrime forums. The data included in
the listing concern email addresses, phone numbers, license plate
numbers for all registered vehicles of a user, and bcrypted passwords.
What hasn’t been accessed (as ParkMobile doesn’t store it) is the
parking history, location history, social security numbers, driver’s
license numbers, and plaintext passwords.

The platform has informed the authorities about the incident, but
users remain in the dark to this day. The affected people haven’t even
been prompted to reset their passwords, as they should have done from
the moment the breach was discovered. Bcrypt hashes are hard to break,
but they shouldn’t be treated as the ultimate security machine. Also,
the people who were exposed by this incident are targets for phishing,
scamming, and social engineering actors, so this is not only about
account security.

The dark web seller has set a price tag of $125,000, which is pretty
high, so ParkMobile users might have some time before their details
are massively leaked. In the meantime, if you are among them, reset
your password on ParkMobile and any other platform you may be using
the same credentials, and remain vigilant against all incoming
unsolicited communications.