Cyber Attack Cripples Flexi Parking, Exposing Millions of User Records in Major Digital Outage
The attack comes days after the KKM website breach, leaving motorists unable to pay for parking as attackers claim root access to millions of user records.
The attack comes days after the KKM website breach, leaving motorists across multiple states unable to pay for parking as attackers claim root access and data exposure.
Kuala Lumpur, 30 June 2026 – A cyber attack that has hit the Flexi Parking, the popular electronic payment system for parking in Malaysia, is affecting operations in the state of Selangor and some others in the country (Malaysia). Citizens have not been able to make payments using the app since last weekend, and local authorities have had to stop enforcing parking rules.
This comes in wake of the KKM website hack on 26 June.
Attackers Publicly Claim Responsibility
The hackers identified themselves as “MelayuSpiritual”. An image which is circulating on the internet reveals root level access of a Linux machine and demonstrates the vulnerability of the SQL injection and arbitrary file upload on the site.
They chose an arrogant style for their communication, with a heading on the page reading “TEORI BANYAK TEORI, PILIH MANA SUKA” (“Lots of theories, choose whichever you like”). They have also threatened that the database has the data of millions of users but there are vulnerabilities in the system which could not be addressed, with a mention of 7 million users on the database.
Exhibit 1: in Desktop view from the app backend
Exhibit 2: From portal in Desktop view
Widespread Disruption
Flexi Parking is essential digital infrastructure that facilitates street, off-street, and compound payments for parking. This incident has affected Flexi Parking users from both Selangor and other regions where the application is integrated with the local council’s system.
Many of the users have taken to social media to complain about their inability to pay using the application. There are even some reports of taunting push notifications such as “Hacked HAHAHAHA”. The local councils of MBSA, MBPJ, and MBSJ have stopped enforcing the usage of the application for payment.
Official Response
Flexi Parking described the situation as an “unexpected service disruption” on its official Facebook page. The institution stated that restoring services is its highest priority and advised that no parking payments are required for now. It also requested that any compounds issued during the outage be forwarded to them for assistance.
As of Tuesday afternoon, the app and website remain largely inaccessible or severely degraded for most users.
Connection to the KKM Breach
The timing has raised eyebrows. Just three days earlier, on 26 June, the Ministry of Health’s official website was taken offline after a confirmed cybersecurity incident, believed to involve an outdated Joomla vulnerability. While no direct link has been established between the two attacks, their close succession has sparked speculation about increased targeting of Malaysian public digital platforms.
Technical Implications
The methods used for the attacks are widely known and can be easily avoided: SQL Injection along with arbitrary file upload. Through SQL Injection, attackers are capable of stealing and manipulating data in the database that can include names, contacts, vehicle registration numbers, and other information about parking or payments.
Through arbitrary file upload, attackers are capable of uploading malicious files, which can lead to remote code execution. Public announcement of root server access indicates that the level of penetration is high.
What Went Wrong: Technical and Security Failures
This is an extremely basic zero day exploit, resulting in problems that could have easily been prevented.
Firstly, there were two types of vulnerabilities, namely SQL Injection and Unauthenticated Arbitrary File Upload, which would be easily preventable if proper input validation and code security standards would be followed. The root access also indicates some underlying problems, such as poor server hardening, poor access control implementation, and insufficient monitoring capabilities.
This is yet another example of common problems experienced by several Malaysian public digital services; while such services may be quickly implemented and deployed to meet operational needs, there may not be enough time spent on security testing, patching, and defensive mechanisms. Flexi Parking does not seem to be ready for handling such a large number of sensitive user information for millions of people.
Also, it is notable how timely the attack took place after the KKM incident.
Risks to Users
If user data was accessed or exfiltrated, affected individuals could face privacy risks or potential misuse of vehicle registration and payment information. Although Flexi Parking has not confirmed any data breach, the nature of the vulnerabilities exploited warrants caution. Users should monitor their accounts and remain vigilant against phishing attempts in the coming days.
Advice to Motorists
Until Flexi Parking officially confirms that services have been fully restored and secured, motorists should:
Avoid using the app for payments or top-ups
Use physical parking coupons or alternative payment methods where available
Keep records of any compounds received and contact Flexi Parking or their local council
Stay alert for phishing messages impersonating the company or local authorities
A Broader Wake-Up Call
This incident once again exposes weaknesses in Malaysia’s expanding digital public services. As more government agencies and local councils move critical services online, the consequences of inadequate security are increasingly affecting ordinary citizens.
The Flexi Parking attack highlights recurring issues: reliance on preventable vulnerabilities, insufficient security testing, and the high impact on systems that handle large volumes of user data and payments. Whether “MelayuSpiritual” is a new hacktivist group or opportunistic attackers, the outcome is the same millions of users have been left without access to an essential daily service.
The incident serves as a clear reminder that cybersecurity must be treated as a core component of digital transformation, not an afterthought.
Further updates will be provided as official statements and technical assessments emerge.
Previous Article ————
When “SERVER FUCKED” Appeared on MOH.gov.my: Malaysia’s Digital Hangover Keeps Coming Back
On 26 June 2026, the Ministry of Health’s official website was replaced with a crude message that read “SERVER FUCKED BY MUSHR00W”. The attacker left behind the usual Anonymous slogan and tagged several regional crews. It was loud, ugly, and entirely preventable.
MYDS: Building a Stronger Foundation for Malaysian Government Digital Services
Malaysia has taken a meaningful and mature step forward with the launch of the Malaysian Government Design System (MYDS). Hosted openly on GitHub under the govtechmy organisation, MYDS brings together a Design Language Guideline and a Component Library





