The sample data from ParkMobile shared by a hacker on a cybercrime forum reveals data allegedly belonging to some big names including Hillary Clinton, Donald Trump, and cybersecurity journalist Brian Krebs, etc.
ParkMobile is an Atlanta, GA-based company that offers a free app allowing users to find open parking spaces across the United States and pay from the comfort of their cars through their smartphones to save the time needed to fiddle with the meter.
This convenient app is used by many people in Atlanta and Washington D.C. However, with this convenience comes security and privacy risks. On 26th March 2021, ParkMobile admitted to having undergone a cyberattack linked to a vulnerability in third-party software that they use.
The company claimed to have been able to identify the vulnerability just in time to stop the actors before they caused extensive damage. Moreover, an update by the platform clarified that according to the preliminary findings of their internal investigation, no sensitive data or payment card information was accessed by the actors.
However, cybersecurity researchers at Gemini Advisory soon discovered a database from the breach being offered for purchase on several hacker forums including Russian-speaking cybercrime forums. The data included in the listing concern email addresses, phone numbers, license plate numbers for all registered vehicles of a user, and hashed passwords.
The data items that have not been accessed because they were not present in the ParkMobile database, to begin with, are parking history, location history, social security numbers, driver’s license numbers, and plaintext passwords.
However, a look at alleged sample data reveals that the information includes the personal data of some high-profile individuals including Hillary Clinton, Donald Trump, and cybersecurity journalist Brian Krebs who has acknowledged that his data was among ParkMobile breach.
Although the platform informed the authorities regarding the incident, the relevant users affected have been kept in the dark and have not been informed to change their passwords, which should have been done as soon as the breach was discovered.
These affected users whose data has been exposed are also inherently prone to phishing, scamming, and social engineering actors, making this incident more than just about account security. Even though bcrypt hashes are difficult to break, they should not be treated as the ultimate security machine.
On the brighter side of things, the dark web seller has set a price tag of $125,000 which is pretty high, all things considered, ParkMobile users may have some time before their details are massively leaked.
In the meanwhile, if you are among the users, it would be a pro move to reset your password on ParkMoile and any other platform which may be using the same credentials. Lastly, you are all advised to remain vigilant against all incoming unsolicited communications.