Cyber Incident Victim: ParkMobile

The ParkMobile breach was identified in late March 2021 when threat intelligence firm Gemini Advisory discovered a sales thread on a Russian-language cybercrime forum offering account data for 21 million users of the North American parking app. The forum post included a screenshot containing the personal information of KrebsOnSecurity's reporter, validating the breach's authenticity. Exposed data encompassed email addresses, phone numbers, license plate numbers, vehicle nicknames, bcrypt-hashed passwords, dates of birth, and mailing addresses for a small percentage of users. ParkMobile confirmed the incident on March 26 through a security notice attributing the breach to a vulnerability in unspecified third-party software. The company initiated an investigation with a cybersecurity firm, notified law enforcement, and claimed to have remediated the third-party vulnerability while maintaining system monitoring.

ParkMobile asserted that no payment card information or sensitive data like Social Security numbers were compromised due to encryption measures. The stolen database excluded parking history, location data, and driver's license numbers. Despite the exposure of password hashes, the company did not force password resets or prominently alert users through its app or support channels. Security researchers noted the breach notification lacked visibility on ParkMobile's website and press release listings. The data seller demanded $125,000 for the stolen records, though the credibility of this transaction was questioned given the seller's lack of forum reputation. The incident coincided with EasyPark's March 9 acquisition announcement of ParkMobile, which operated in over 450 North American cities. User impacts centered on potential credential reuse risks, as bcrypt's computational complexity offered some protection against hash cracking attempts despite the absence of stored salt values in ParkMobile's systems.