A Parking App Leaked 2.1 Million License Plates, and Its Bug Bounty Was a Hoodie
ParkSwift stored plate numbers, payment tokens, and GPS history in an open database. The researcher who reported it got merch and a legal threat.
This is synthetic placeholder content. All companies, people, and events in this article are fictional.
ParkSwift, a parking payment app used by dozens of municipalities, left a database containing 2.1 million license plates, partial payment data, and months of location history exposed to the open internet without a password, according to a security researcher who found it and spent six weeks trying to get the company to fix it.
The database, an unauthenticated instance discovered through a routine internet scan, included plate numbers tied to phone numbers, the GPS coordinates of every parking session, and internal notes from customer support tickets. For some users, the data amounted to a searchable diary of where their car had been since 2024.
Six weeks to a fix, six minutes to a threat
The researcher’s disclosure timeline, shared with Dead Pixel and corroborated by email records, reads like a case study in how not to receive a vulnerability report. His first three emails went unanswered. A support agent then closed his ticket as “resolved” with a coupon code for a free hour of parking.
When he reached an engineer directly through a professional networking site, the database went offline within a day. Two days later, a law firm representing ParkSwift sent him a letter calling his scan “unauthorized access” and demanding he delete his findings, identify anyone he had shown them to, and sign a non-disclosure agreement.
He was also mailed a hoodie with the company logo — apparently from a separate, friendlier arm of the company that runs its “security appreciation program.” ParkSwift has no formal bug bounty.
Cities on the hook
At least 14 municipal parking authorities contract with ParkSwift, and several state breach notification laws may require the company to notify affected drivers. As of publication, no notifications appear to have been sent. Two city transportation departments told Dead Pixel they learned of the exposure from a reporter’s inquiry.
ParkSwift said in a statement that it had “no evidence of malicious access” — a phrase that, for a database with no authentication and no access logging, is doing an enormous amount of work.