Parking app developer EasyPark has published a notice on its website warning of a data breach it discovered on December 10, 2023, which impacts an unknown number of its millions of users.
EasyPark is a Swedish company that creates mobile and web apps that serve as parking space locators, booking managers, and EV charging point finders.
The company operates digital parking services in 20 countries and over 4,000 cities, covering most of Europe, the United States, Australia, New Zealand, and the UK.
The EasyPark app (Europe-focused) has over 10 million downloads on Google Play, while its other apps, RingGo (UK-focused) and ParkMobile (US-focused), have 5 million installs each.
As reported by BleepingComputer, ParkMobile disclosed a massive data breach in 2021 that exposed the stolen data for 21 million customers. This database was subsequently released for free on a hacking forum.
Although a firm spokesperson has declined to provide details about this new breach and how many customers were impacted, they told BleepingComputer that a portion of European users had been affected, indicating that the incident concerns mainly EasyPark app users.
The company’s announcement mentions that some customers have had the following information compromised, depending on what they have provided to the platform:
- Name
- Phone number
- Physical address
- Email address
- Some digits of their credit card/debit card or IBAN
The above could help cybercriminals launch effective phishing attacks against the exposed EasyPark users, which the company warns explicitly about in the data breach notice.
However, the company clarifies that the disclosed data does not pose a risk for executing unauthorized transactions, and no such activities have resulted from the cybersecurity incident.
Users who are impacted by this incident will receive personalized notices from EasyPark via in-app messages, push notifications, email, and SMS.
“If you want to know if you are affected, please open the app,” suggests the FAQ on the data breach notice.
At this time, the app’s services continue to be accessible as normal, while EasyPark’s security team is implementing additional security and privacy measures to ensure that the adverse effects of the incident have been contained.
The data protection authorities in Sweden, the United Kingdom, and Switzerland have been notified about the incident.
As a precaution, and since the nature of the cybersecurity incident remains undisclosed, it would be prudent for all users to reset their account passwords and do the same on all online platforms where they might be using the same credentials.
At the time of writing, no ransomware groups have taken responsibility for an attack on EasyPark.
However, threat actors have already started looking for the stolen data in hacking forum posts seen by BleepingComputer.