A cybercriminal using the nickname “hameraib” is attempting to sell what they claim to be 21.1 million records that were exfiltrated from EasyPark last December.
EasyPark is a tech firm offering a mobile service for parking payments, allowing users to find, manage, and pay for parking spots and EV charging across Europe, North America, Australia, and other parts of the world.
On December 10, 2023, the company suffered a data breach that impacted customer personal data, resulting in the exposure of names, phone numbers, emails, home addresses, and some digits of their IBAN and payment cards.
Today, the threat monitoring service HackManac spotted a sale of EasyPark data on a hacker forum. The cybercriminal organizing the sale claims that they first attempted to extort the firm, but failed, so they decided to make it available for purchase by anyone paying $39,995 in Bitcoin, Monero, Solana, or Ethereum.
The data is organized in CSV, SQL, XLSX, or JSON format, while interested buyers may also PM “hameraib” to receive a data sample. The dataset’s contents reflect the type of information EasyPark confirmed as breached back in December, so there are no surprises or additions on that front.
EasyPark added an update to its original statement in mid-January 2024, stating that hackers may have also accessed hashed versions of user passwords, and those impacted will receive an email, SMS, or push notification urging them to reset it. The hashing algorithm EasyPark uses for protecting user passwords is bcrypt, which is generally considered strong and automatically generates and applies salts to each password. Nevertheless, it is recommended that impacted users change their passwords as soon as possible, both on EasyPark and any other online platforms where they might be using the same credentials.
RestorePrivacy has contacted EasyPark with a query about hameraib’s allegations, but the firm has not confirmed the validity or potential authenticity of the data samples the cybercriminal offers.