Pierluigi Paganini June 17, 2025

Zoomcar disclosed a data breach impacting 8.4M users after attackers compromised its systems and contacted the company staff.

Zoomcar is an India-based car-sharing and self-drive car rental company. Zoomcar discovered a data breach impacting 8.4M users after threat actors contacted the internal personnel claiming the compromise of internal systems.

The company is investigating the security breach and has determined that the exposed information included names, contacts, and addresses. No financial data or passwords were compromised.

“On June 9, 2025, Zoomcar Holdings, Inc. (the “Company”) identified a cybersecurity incident involving unauthorized access to its information systems. The Company became aware of the incident after certain employees received external communications from a threat actor alleging unauthorized access to Company data. Upon discovery, the Company promptly activated its incident response plan.” reads the FORM 8-K filed with US Securities and Exchange Commission (SEC).

“Based on preliminary findings, the Company determined that an unauthorized third party accessed a limited dataset containing certain personal information of a subset of approximately 8.4 million users, including names, phone numbers, car registration numbers, personal addresses and email addresses associated with such users. At this time, there is no evidence that financial information, plaintext passwords, or other sensitive identifiers were compromised.”

Zoomcar took swift action after the incident with the help of cybersecurity experts, boosting cloud and network security. The company notified authorities about the security breach, and operations remain unaffected so far. The car-sharing firm is assessing legal, financial, and reputational impacts.

“To date, the incident has not resulted in any material disruption to the Company’s operations. However, the Company continues to evaluate the scope and potential impacts of the event, including legal, financial, and reputational considerations, as well as any associated remediation costs.” concludes FORM 8-K.

The company has not provided technical details regarding the cyber attack, and although it is possible that Zoomcar was the victim of a ransomware attack, no ransomware group has claimed responsibility so far.

In July 2018, Zoomcar suffered another data breach exposing the data of more than 3.5 million users, including names, email and IP addresses, phone numbers, and passwords.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, data breach)