Major Cybersecurity Breach at Zoomcar Affecting Millions
Zoomcar Holdings, a prominent peer-to-peer car-sharing platform, has confirmed a significant cybersecurity breach that has potentially compromised the data of approximately 8.4 million users. This incident was detected on June 9, 2025, when employees received messages from an unidentified hacker asserting possession of sensitive company data.
The Bengaluru-based company detailed the breach in a disclosure to the U.S. Securities and Exchange Commission (SEC), stating that unauthorized access was gained to a database containing various personal information. Affected data includes users’ names, phone numbers, car registration numbers, home addresses, and email addresses. Fortunately, current assessments suggest that no financial information, passwords, or other highly sensitive identification numbers were exposed during this incident.
Founded in 2013, Zoomcar has established itself as a competitive player in the car-sharing sector, boasting a user base exceeding 10 million and a fleet of over 25,000 vehicles operating in 99 cities globally, including India, Egypt, Indonesia, and Vietnam.
In the aftermath of the breach, Zoomcar activated its incident response protocols, enhancing security measures across its cloud and internal networks. This includes bolstering system monitoring and re-evaluating access permissions for personnel. Additionally, the company has enlisted external cybersecurity experts to assist with the ongoing investigation and has coordinated with governmental and law enforcement agencies.
Despite the severity of the breach, Zoomcar has reported that the incident has not led to any significant disruption of its operations. However, the company is actively evaluating the full implications of the breach, including potential legal consequences, financial impacts, reputational factors, and the cost of mitigation efforts. It remains unclear whether affected customers have been informed directly about the breach or if the hacker’s identity has been identified.
This is not the first time Zoomcar has faced cybersecurity challenges. In July 2018, the company experienced another data breach that exposed the information of 3.6 million users, with data including names, IP addresses, passwords, and phone numbers. That previous incident saw compromised information appearing for sale on the dark web in 2020.
The current breach unfolds amidst a broader context of heightened cybersecurity risks across the car rental industry, which has seen several high-profile attacks within the past year, including incidents affecting major players like Hertz and Avis.
Cybersecurity experts, including Consumer Privacy Advocate Paul Bischoff, emphasize the need for vigilance among those affected. While this breach may not pose an immediate threat to online accounts or financial information, users are advised to remain alert for phishing attempts disguised as legitimate communications from Zoomcar or related entities. It is critical to exercise caution, avoiding interactions with unsolicited emails or text messages that may contain harmful links or attachments.
Understanding the tactics involved in such breaches can provide organizations with valuable insights. The MITRE ATT&CK framework may suggest that tactics such as initial access, data exfiltration, and credential dumping could have been employed in this attack, highlighting the need for businesses to continually assess and enhance their cybersecurity defenses.
