Someone is selling account information for 21 million customers of ParkMobile, a mobile parking app that’s popular in North America. The stolen data includes customer email addresses, dates of birth, phone numbers, license plate numbers, hashed passwords and mailing addresses.
KrebsOnSecurity first heard about the breach from Gemini Advisory, a New York City based threat intelligence firm that keeps a close eye on the cybercrime forums. Gemini shared a new sales thread on a Russian-language crime forum that included my ParkMobile account information in the accompanying screenshot of the stolen data.
Included in the data were my email address and phone number, as well as license plate numbers for four different vehicles we have used over the past decade.
Asked about the sales thread, Atlanta-based ParkMobile said the company published a notification on Mar. 26 about “a cybersecurity incident linked to a vulnerability in a third-party software that we use.”
“In response, we immediately launched an investigation with the assistance of a leading cybersecurity firm to address the incident,” the notice reads. “Out of an abundance of caution, we have also notified the appropriate law enforcement authorities. The investigation is ongoing, and we are limited in the details we can provide at this time.”
The statement continues: “Our investigation indicates that no sensitive data or Payment Card Information, which we encrypt, was affected. Meanwhile, we have taken additional precautionary steps since learning of the incident, including eliminating the third-party vulnerability, maintaining our security, and continuing to monitor our systems.”
Asked for clarification on what the attackers did access, ParkMobile confirmed it included basic account information – license plate numbers, and if provided, email addresses and/or phone numbers, and vehicle nickname.
“In a small percentage of cases, there may be mailing addresses,” spokesman Jeff Perkins said.
ParkMobile doesn’t store user passwords, but rather it stores the output of a fairly robust one-way password hashing algorithm called bcrypt, which is far more resource-intensive and expensive to crack than common alternatives like MD5. The database stolen from ParkMobile and put up for sale includes each user’s bcrypt hash.
“You are correct that bcrypt hashed and salted passwords were obtained,” Perkins said when asked about the screenshot in the database sales thread.
“Note, we do not keep the salt values in our system,” he said. “Additionally, the compromised data does not include parking history, location history, or any other sensitive information. We do not collect social security numbers or driver’s license numbers from our users.”
ParkMobile says it is finalizing an update to its support site confirming the conclusion of its investigation. But I wonder how many of its users were even aware of this security incident. The Mar. 26 security notice does not appear to be linked to other portions of the ParkMobile site, and it is absent from the company’s list of recent press releases.
It’s also curious that ParkMobile hasn’t asked or forced its users to change their passwords as a precautionary measure. I used the ParkMobile app to reset my password, but there was no messaging in the app that suggested this was a timely thing to do.
So if you’re a ParkMobile user, changing your account password might be a pro move. If it’s any consolation, whoever is selling this data is doing so for an insanely high starting price ($125,000) that is unlikely to be paid by any cybercriminal to a new user with no reputation on the forum.
More importantly, if you used your ParkMobile password at any other site tied to the same email address, it’s time to change those credentials as well (and stop re-using passwords).
The breach comes at a tricky time for ParkMobile. On March 9, the European parking group EasyPark announced its plans to acquire the company, which operates in more than 450 cities in North America.
I don’t use any of these kinds of apps. Nor do I do online banking or checking my investments. Yet, I am still not protected… my DENTIST’s database got hacked. I am at a loss of what I can do because once your info is out there we rely on the keepers to protect it. Not even the Credit Bureaus are doing a good job on this issue. And I NEVER gave them the right to my information!
When you initiate a transaction. you are giving them the right to obtain information. It it up to the provider to safeguard that information. Unfortunately, phishing is the most common way to obtain information. It is often too late to find out when the breach happens and it takes awhile to dig down as what had happened (you’re poring over million lines of code to see what had changed) once it is known. I’ll say the same thing, keep your password different and hard to crack (keep a handy note book for reference as most people don’t).
Use Park Mobile all the time and never received any notification ~March 26. Will change PW now. Thanks, Brian!
If they do not store the salt in the password database, are the passwords actually salted? Do they store the salt in a different database? Do they use one salt, and it is hardcoded or provided in the applications configuration information?
You can salt a password using information from the password itself. If an attacker doesn’t know how it’s salted then it’s very effective. The only limit to the salting algorithm is your imagination!
You’re advocating security by obscurity and design your own crypto algorithms here?
You are confusing “design” with “implement”.
deriving the salt from the password would be deterministic and defeat one of the key protections afforded by salting. with a random salt ‘password123’ is different for each random salt.. with a deterministic approach all users with password123 will have the same hash value. not exactly optimal.
Good question! I’m assuming they use one salt and it’s stored in the applications code., i suppose they could be using a secret manager for the salt, but that would be a pretty weird solution.
If they’re using a single salt for all the passwords, then it’s called a “pepper”, which does not contribute as much to security as a salt does. There is nothing wrong, at all, with storing the salt along with the encrypted password.
The passwords aren’t salted and can be broken with the command (available in every linux distribution):
sudo hashcat -w 3 -m 3200 -a 0 -O –potfile-path ~/.hashcat/liker.potfile -D 1,2 ./Parkmobile_RF/parkHashes.txt rockyou.txt
rockyou.txt => available on github
sudo apt install hashcat => available in ubuntu/kali linux
Can be broken at a rate of 1-2 per minute for anyone with a *gaming* GPU. Someone with a mining operation would be 10-100x faster than that.
Thanks for the story, Brian. Prior to this, I hadn’t received any notification from either ParkMobile or the local city where I use this app. I wonder whether ParkMobile even notified the city governments who have contracted with company for use of the app?
Unfortunately it takes time to get those détails before their spread in Russian forums for sell to get Some rupples ,sure it’s really à shame to see customer confidential infos being rolling all over the dark Web in the hands of cyber crooks .call to actions
Great, another app that I had to use once 2 years ago because it was the only way to pay for parking in that particular vacation spot…. Had to reinstall the darn thing to check what information had been provided.
You can’t remove the default Apple Pay payment method.
You can’t delete all vehicles from the app.
You can at least change the associated email address and phone number, but it’s a bit late for that to be helpful.
Funny that ParkMobile was able to send me an email in moments after changing my password, but couldn’t send out a notification to let me know of the breach….
Once you put a default Apple Pay, you can’t delete it but can change it to another card info. The same goes for vehicle info.
Thanks Brian, I never received any notification. Changed my password..
Ditto. Security through obscurity. 8^)
Always great that SOMEone responsible is letting us know when user data is being sold. The company sure as hell didn’t bother telling us! 🙁
I didn’t receive any notification but someone tried changing my password today. Now I know why.
“The stolen data includes… dates of birth”
Really? Why would this need dates of birth?
I wondering the same thing. Any time I am asked for it for no good reason, they get the Java-notable “Jan. 1, 1970”.
“it stores the output of a fairly robust one-way password hashing algorithm called bcrypt,”
“Note, we do not keep the salt values in our system,”
Pick one. The bcrypt hash includes the salt.
Here’s my idea:
Create a national law to penalize entities which get breached. Maybe a dollar or 2 for each account that gets breached plus direct notification to the account holder–within 2 days of finding the breach–or it’s time to go out of business? On top of that, a five dollar penalty per account that gets breached payable to the account holder. Were we able to do that now, Parkmobile’s fine would be $21 million, plus $105 million for their account holders. I bet companies would start doing a better job of protecting their user accounts.
You mean like GDPR and CCPA, but national? Yeah.
…the only problem with that is that the price he consumer pays the goes up to ay for the fines…
I’m tired of these breaches. Pretty clearly the entities involved don’t care that much. If they did, they’d do a better job of protecting their user’s data.
But I have an idea: how about a NATIONAL law that says: If the company has *any* facilities in the United States and their web presence gets breached, and customer data stolen, then a simple penalty: A ten US Dollar fine for every account that is breached, of which $5 will be paid to the account holder. Additionally, the company would be required to let their customers know within 2 days, and if they fail at that, then the fine should be **serious**.
CCPA in california does this. Other states will follow suit. But yeah, a national law would be better.
Seems fair to me (Oh and I’m in the UK, so standard internet exchange rates, make that a £10 fine, with £5 going to me )
Cue the phone call “Hello Mr T, I’m calling from EasyPark regarding the data breach, I can give you compensation of £10, now if I can just have your bank details…”
I logged on with my cell phone and tried to change my password. It would not accept any new password I entered, with an error stating that one among a list of special characters (* & ^ etc) was needed. However including one or more of these special characters would not allow my new password to be accepted.
Ran into same issue. It should be rephrased to mean “the only special characters allowed are the following: …”
Also, be mindful if you use a password vault app that likes to autofill – on that password change section, it’s “provide current, then provide new” – not “provide new, verify/confirm new”
I had used this app one (1) time. And they got all this info. Disgusting. Changed my pw.
I’m based in the UK, but the signage in the pictures looked familiar… and sure enough, the EasyPark group taking over ParkMobile also owns “RingGo” whose services I’m forced to use if I take the train – there is no facility to pay for parking with cash, its either RingGo or stuff my card in a machine – which seems to be connected via a 14.4K dialup modem.
I’ve heard it said that anyone can be breached. Huge fines sounds like a great way to put a competitor out of business – just “help” them get breached. Perhaps a preliminary focus for a national law could start with requirements companies should have for detecting breaches, logging access, and then perhaps even require notifications when breaches occur. If one is tired of hearing about all the breaches now, just imagine the exhaustion if we strengthened notification laws.
Not a great way.
Sure, a competing bank could hire bank robbers… but that’s just stupid.
Becoming implicated in an overt criminal act is FAR riskier than it’s worth. You think that the hackers would have honor and not point the finger?
You underestimate criminality in broad strokes.
How so?
Are you suggesting corporate executives would not analyze the risk/reward of such a criminal enterprise?
There’s a reason why this type of crime doesn’t exist. Corporate espionage may have direct benefits depending on trade secrets… but this business to business crime is just infeasible.
Trying to bankrupt a competitor by having them pay fines to the government?
Unfortunately, I had to use this company’s services because they were the only way to use public parking in a municipality that I visited. They failed to notify me whatsoever of this breach. Lovely.
Does the breach only relates to the US or are other countries also involved (and if so, do you know which countries) ?
They did sent out a notice but the subject line looks just like their normal update email………
“Our investigation indicates that no sensitive data or Payment Card Information, which we encrypt, was affected. Meanwhile, we have taken additional precautionary steps since learning of the incident, including eliminating the third-party vulnerability, maintaining our security, and continuing to monitor our systems.”
When they say this, it seems to follow that all was lost, they just don’t know it yet.
I just went to change my ParkMobile pw, only to find that they seem to be doing something stupid in the web U/I with cleartext eval/manipulation of passwords – I entered a password that meets all their criteria – “Password must be between 8-25 characters in length, contain at least 1 upper case character, 1 lower case character, a number (0-9), and a special character (!@#$%^&).” – only to get an error message; my best guess is that the presence of a punctuation characters *not* in their list caused their password change engine to crash and fail (my random pwd generator’s output included a tilde, an open-bracket, and a close-brace character).
*sigh*
agree. it would be great if programs & sites would all adhere to ‘minimum standard’ for passwords… all too many limit the # of characters to a very low number like 8-15, don’t support all the standard special characters, etc. If you want to have a low threshold for password that’s one thing but don’t restrict those that want to use a complex long one.
There have been a number of breaches now where the simple response seems to be “third party failure”.
Two things come to mind with this- one is that many of these organizations had an internal failure and just tried to cover up the PR space by saying it was someone else – Ubuquiti article of Krebs being a great example. These companies should absolutely be roasted if it is found to be an internal failure instead, and the legal team should face ramifications.
Second – When these are 3rd party breaches, it is still your failure. You contracted out the work – you assumed the risk of the vendor. Boeing does not make computer chips but if a computer fails and a plane goes down, who are we looking at? We keep letting orgs use the cop out of 3rd party as if it makes it better, in my eyes it makes it much much worse.
Their response, in a nutshell, sucks. “Hey look it’s only your license plate, email addy, and cell phone number that was taken!”
Why did I have to find out about this breach from this article and not from ParkMobile themselves? Funny that when I went into the app there was now notification of the breach, dated AFTER this article was published. Kind of feels like they’re more interested in minimizing their own impact and attempting to just sweep it under the rug than doing anything to look out for the users of their app.
Today, April 20, I received an email from ParkMobile notifying me of the breach and telling me to change my password via a link in their message (the url starts with “ablink.mail.parkmobile.io”). I KNOW the breach is legitimate so I know the content of the ParkMobile message is legit, and I should assume the email itself is legit from ParkMobile and therefore should click the link to change my password. But my paranoia about phishing still overwhelms my rational side and I refuse to click the link – I’ll change my password by manually going to their web site or app. But more importantly, why don’t companies such as ParkMobile recognize this phishing fear (or more positively, I’ll call it a phishing awareness) too – why do they send messages with embedded links – especially with links that are not to recognizable parkmobile.COM but to something else (parkmobile.IO) that I don’t identify as actually being from them?
Worst case I have seen is a mobile provider sending an SMS with something along the lines: “Be wary of phishing. Click here to find out more” :facepalm:
That’s exactly why we should oppose data collection to begin with.
These companies should find a way to limit data retention to the minimum needed to provide the service.
I am really excited to get more car warranty expiry calls now. I can have them tell me what car I have for a change AND my license plate!
Sooo … for those of us who aren’t fully savvy on this stuff, will cybercriminals be able to access/decrypt the passwords and payment info?
Hi Brian,
I’ve been trying to get in contact with you about this breach.
I actually work in the security industry and am a huge admirer of your work. I’ve personally dealt with skimmer and chip card fraud gangs, and your writing was amazingly helpful when there wasn’t very much info on the subject at all.
Unfortunately, I’ve been dealing with the end of a very violent abusive relationship.
Directly after the ParkMobile breach, my ex (who is currently a fugitive) used the data from the breach in combination with iOS malware to track me down and attempt to break into my house.
ParkMobile never even sent an email regarding the breach to their customers. They claim the data that was leaked was “not sensitive”. I am in the planning stages for a lawsuit against them, because their negligence and improper security controls lead to him locating me and the dangerous situation that happened afterwards.
They refuse to acknowledge the danger of the information that was released. I know my circumstances are unique and abnormal compared to the other customers that had their info leaked, but ParkMobile is not doing even the minimum to protect their customers.
Ironically, after the breach, we had inicidents in my city of compromised readers in the parking meters, as those who were using the app switched to using cards at the meter to avoid the app.
I would love if you would be able to publicize my case in order to force ParkMobile to acknowledge their failure and protect those who are suffering as a result.
I was just informed that two email address that I used was being sold on the open internet and that it is possible that my passwords was compromised and ParkMobile was listed as the site that was responsible.
I read through the statement about the breach and I believe as usually companies do every thing to minimize the impact of the breach even though you have Millions of customers being affected. ParkMobile is 100% responsible for this breach. this day and time customers use there emails accounts for all kind of transactions and personal information. This can potentially lead to major issues for millions of trusted customers.
The worst thing is that I had to find this out through my monitoring service and not ParkMobile. Shame on your company