Industry News
ParkMobile Breach Exposes License Plate Data, Mobile Numbers of 21M Users
In April 2021, account information for approximately 21 million customers of ParkMobile, a widely used mobile parking app in North America, appeared for sale on a Russian-language cybercrime forum.
In April 2021, account information for approximately 21 million customers of ParkMobile, a widely used mobile parking app in North America, appeared for sale on a Russian-language cybercrime forum. The stolen data included customer email addresses, dates of birth, phone numbers, license plate numbers, hashed passwords, and mailing addresses.
What Was Exposed.
The breach was first reported by threat intelligence firm Gemini Advisory, which monitors cybercrime forums for newly listed stolen data. The listing included a screenshot of actual ParkMobile customer records as proof of the dataset's contents.
When contacted for comment, Atlanta-based ParkMobile confirmed the incident and referenced a security notice the company had published on March 26, 2021, citing "a cybersecurity incident linked to a vulnerability in a third-party software that we use." The company stated that it immediately launched an investigation with the assistance of an outside cybersecurity firm and notified law enforcement.
ParkMobile's statement indicated that no sensitive data or payment card information was affected, noting that payment data is stored in encrypted form. The company confirmed that the exposed data included basic account information such as license plate numbers, email addresses, phone numbers, and in some cases mailing addresses. A small percentage of records also included vehicle nicknames provided by users.
On Passwords.
ParkMobile does not store passwords in plain text. Instead, it uses bcrypt, a one-way hashing algorithm that is significantly more resistant to cracking than older methods like MD5. The stolen database included bcrypt hashed passwords. The company noted that it does not retain the cryptographic salt values used in the hashing process, which makes cracking the hashes more difficult, though not impossible given enough time and computing resources.
What Was Notably Absent from the Response.
Despite the scale of the breach, ParkMobile did not proactively prompt users to reset their passwords. The March 26 security notice was not prominently linked from the main ParkMobile website or included in recent press releases. Users who were unaware of the incident had no immediate signal that action was needed on their part.
This matters because the most significant risk from a breach of this type is not the exposed license plate numbers or phone numbers. It is the possibility that affected users employed their ParkMobile password on other accounts tied to the same email address. Credential stuffing attacks, where breached username and password combinations are automatically tested against banking, email, and other services, are routine. If a user reused their ParkMobile password anywhere else, those accounts became vulnerable the moment the database was stolen.
If you were a ParkMobile user and have not already changed your password, doing so is a reasonable precaution. More importantly, if you used the same password on any other service, those passwords should be changed as well.
The Timing.
The breach came at an awkward moment for ParkMobile. On March 9, just weeks before the security notice was published, European parking group EasyPark announced plans to acquire the company, which operates in more than 450 cities across North America.
What This Means for Your Organization.
This breach illustrates two important points. First, third-party software vulnerabilities are a real and underappreciated risk. Organizations must vet the security practices of every vendor with access to their systems or customer data. Second, incident response communication matters. Timely, prominent notification that reaches affected users and clearly explains recommended actions is a basic obligation when a breach occurs.
Cyber One Solutions Can Help.
From third-party vendor risk assessments to incident response planning, Cyber One Solutions helps organizations manage the full spectrum of cybersecurity risk. Contact us today to schedule a consultation.