Car-sharing Zoomcar reports data breach exposing 8.4 M users
Learn More
Zoomcar Holdings, Inc., an Indian peer-to-peer car-sharing marketplace, is reporting a data breach that compromised the personal information of approximately 8.4 million users.
The incident was discovered on June 9, 2025. Zoomcar became aware of the cybersecurity incident after certain employees received external communications from a threat actor alleging unauthorized access to company data. Zoomcar activated its incident response plan and launched an investigation to determine the scope and impact of the breach.
Based on preliminary findings from the company's investigation, an unauthorized third party gained access to a limited dataset containing personal information of approximately 8.4 million users. The compromised data includes:
- Names
- Phone numbers
- Car registration numbers
- Personal addresses/home addresses
- Email addresses
The nature of the attack and the number of affected individuals is not disclosed. The company reported the incident to the U.S. Securities and Exchange Commission (SEC) on Friday, June 13, 2025.
This is not the first major data breach to affect Zoomcar's users. In July 2018, the company suffered another significant security incident that exposed records of more than 3.6 million customers, including names, email and IP addresses, phone numbers, and passwords stored as bcrypt hashes. That compromised data was eventually offered for sale on an underground marketplace in 2020, exposing affected customers to elevated risks of identity theft and other cybercriminal activities.
