A spokesperson from Gemini Advisory, a New York City based threat intelligence released a statement about a massive data breach to the popular mobile parking app ParKMobile putting at risk personal information of more than 21 million users. The stolen data includes sensitive information such as email addresses, dates of birth, license plate numbers, mobile numbers, hashed passwords and mailing addresses.

According to ParkMobile, they published a notification on March 26 about a “cybersecurity incident linked to a vulnerability in a third-party software that we use” then they proceeded to elaborate “in response to it, we immediately launched an investigation with the assistance of a leading cybersecurity firm to address the incident”. They also noted that “out of abundance of caution, we have also notified the appropriate law enforcement authorities. The investigation is ongoing, and we are limited in the details we can provide at this time”

Gemini asked for clarification about what the impostors actually had access to and ParkMobile confirmed that the breach included basic account information such as license plate numbers and if provided email addresses and or/ phone numbers and vehicle nicknames. They also added that they “do not store user passwords, but rather stores the output of a fairly robust one-way password hashing algorithm calle bcrypt, which is far more resource-intensive and expensive to crack than common alternatives like MD5”

One thing that we find a bit odd is that ParkMobile hasn’t asked or forced its users to change their password as a precautionary measure. However, if you are a ParkMobile user we strongly suggest you do.