Just another day in the wild wild west that they call the internet. It seems that a popular mobile parking app called ParkMobile is suffering from a data breach that is allowing someone to sell personal information related to 21 million customers of the app. These customers use ParkMobile to find open parking spots and pay for them without having to run to the parking meter every few minutes.
21 million ParkMobile customers have some of their sensitive personal data up for sale
On his blog called KrebsOnSecurity
, cybersecurity reporter Brian Krebs noted the extent of the data available for purchase. This includes the email addresses of the app's customers, phone numbers, license plate numbers, customer's date of birth, mailing address, and hashed passwords. The information about the data breach first came to Krebs' attention from New York City based threat intelligence firm Gemini Advisory.
According to Krebs, "Gemini shared a new sales thread on a Russian-language crime forum that included my ParkMobile account information in the accompanying screenshot of the stolen data. Included in the data were my email address and phone number, as well as license plate numbers for four different vehicles we have used over the past decade."
On March 26th, ParkMobile notified subscribers that it had detected "a cybersecurity incident linked to a vulnerability in a third-party software that we use. In response, we immediately launched an investigation with the assistance of a leading cybersecurity firm to address the incident. Out of an abundance of caution, we have also notified the appropriate law enforcement authorities. The investigation is ongoing, and we are limited in the details we can provide at this time."
ParkMobile was able to tell concerned users that no credit card information was stolen. In a statement, the company said, "Our investigation indicates that no sensitive data or Payment Card Information, which we encrypt, was affected. Meanwhile, we have taken additional precautionary steps since learning of the incident, including eliminating the third-party vulnerability, maintaining our security, and continuing to monitor our systems."
ParkMobile has been working on an update to its support site which includes details revealing the conclusion of its investigation of the data breach. While the company did not initially suggest to users that they change their passwords, this would be the prudent move to make and Krebs himself did so with his ParkMobile account. In fact, if you reuse your password on other accounts, you might want to change ALL of your passwords even though it might take some time to accomplish.
Giving ParkMobile more incentive to improve its security, on March 9th, European parking firm EasyPark, which offers a similar service as ParkMobile provides, offered to buy the latter. ParkMobile is the top parking app in North America with 22 million users and a presence in 450 U.S. cities.
The information taken from ParkMobile's customers was offered for sale at the price of $125,000. Krebs believes that this is too high a price for a cybercriminal to pay for data offered by someone without a reputation online and could keep the data from getting bought.
A week ago, ParkMobile updated its security notification site and added the following: "Our investigation concluded that encrypted passwords, but not the encryption keys needed to read them, were accessed. While we protect user passwords by encrypting them with advanced hashing and salting technologies, as an added precaution, users may consider changing their passwords in the "Settings" section of the ParkMobile app...
Our investigation has confirmed that basic user information – license plate numbers and, if provided by the user, email addresses and/or phone numbers, and vehicle nicknames – was accessed. In a small percentage of cases, mailing addresses were affected. No credit cards or parking transaction history were accessed, and we do not collect Social Security numbers, driver’s license numbers, or dates of birth.
Please rest assured we take seriously our responsibility to safeguard the security of our users' information and appreciate your continued trust."
To reiterate, if you are a ParkMobile customer, you might want to change all of your passwords. If that is too much work for you, at least change the passwords you use on other apps that copy the one you use for the ParkMobile app.