Over the weekend, Flexi Parking went dark. The parking payment app that Selangor drivers use to feed meters and clear compounds stopped working. By 30 June the cause was clear: the Flexi Parking hack had taken the whole system down.
A group calling itself "MelayuSpiritual" replaced part of the system with a black screen, a root shell, and a blunt message: they were inside, and there were "7 million users" in the database. How they got in is the part every business owner should read carefully. They used two of the oldest tricks on the internet.
What is the Flexi Parking app, and what happened in the hack?
Flexi Parking, built by LITS Sdn Bhd, is one of the country's most-used parking apps. It covers on-street, off-street, and compound payments across councils like MBSA, MBPJ, and MBSJ, with thousands of reviews on the Play Store alone. When it goes down, people cannot pay for parking and councils pause enforcement.
That is exactly what happened. Users reported the app failing and some saw saved summonses vanish. The company called it an "unexpected service disruption" and waived parking payments while it was offline.
The Flexi Parking site timing out during the outage. Source: najoe on Substack
The attackers did not hide their method. Their own page spelled it out: "Proof of concept. SQL injection. Unauthenticated arbitrary file upload." The terminal shows them running as root, the highest level of access, on a server reportedly still running a Linux kernel built in 2021. One line of their Malay message stings: "common vulnerability pun korang tak aware?" Roughly, you were not even aware of a common vulnerability.
One caveat: the 7 million figure is the attackers' claim. The company has not confirmed whether any data was actually copied.
How the Flexi Parking hack worked: two old, preventable bugs
Neither bug here is clever. That is the part that should bother you.
SQL injection is when an attacker types database commands into a normal input box, and the app runs them instead of treating them as plain text. It has sat near the top of web security lists for more than 20 years. The fix, parameterized queries, is built into every modern framework and costs nothing to use correctly.
Unauthenticated file upload means a stranger can upload a file, often a small script, without logging in, and the server runs it. Once that works, they own the box. The fix is also standard: check who is uploading, check the file type, and never run uploaded files.
Our honest take: this was not a sophisticated attack. These are the bugs you cover in week one of any secure-coding course. When software this widely used falls to them, it points to a team that shipped fast, skipped testing, and never came back to patch. The 2021 kernel is the tell.
Are parking apps, and your own app, actually safe?
A parking app is only as safe as the team running it. As a user, you cannot fix their server, but you can stop reusing passwords and keep stored balances small. For business owners, the question is sharper. If an app with millions of users shipped these holes, what are the odds your commissioned software is clean? In our experience reviewing software for Malaysian companies, input handling and patching are the first things that slip when a project is rushed or handed off. The flaw is rarely exotic. It is the boring stuff nobody owned after launch.
This breach also landed alongside a wave of attacks on Malaysian government websites, including the Health Ministry portal, which NACSA linked to unpatched software. Different attackers, different bug, same root cause: systems built and then left alone.
What Malaysian business owners should do
You do not need to become a security expert. You need to ask three things of whoever builds or maintains your software:
- Run a security test before launch. A penetration test (VAPT) probes your app the way an attacker would. It is affordable, and far cheaper than a breach. If your developer has never done one, that is a red flag worth checking.
- Ask how they handle input and uploads. A competent developer can explain parameterized queries and file validation in plain terms. If they cannot, keep asking.
- Patch and watch. Software is not a one-time build. Servers and libraries need updating, which is the heart of basic server hardening. A 2021 kernel in 2026 is a bad choice.
There is a compliance angle too. Under Malaysia's updated PDPA, a leak of names, phone numbers, and plate details is exactly the kind of event regulators now examine, as we explained in our guide to cloud security mistakes Malaysian businesses keep making.
At Gotchaa Lab, we build with these basics baked in and audit existing systems for the same holes. If you are not sure your app would survive the test the attackers just ran on Flexi Parking, talk to us. Honest read, no sales pitch.
This article is for general information and does not constitute professional cybersecurity or legal advice. Details of the incident are based on public reports and may change as more is confirmed.




