Cyberattack
Zoomcar
Zoomcar data breach exposes info of 8.4M users—names, contacts, car details. No ...
Zoomcar Holdings, a leading peer-to-peer car-sharing marketplace operating across India and emerging Asian markets, has disclosed a significant data breach affecting approximately 8.4 million users.
The incident, identified on June 9, 2025, was detected after a threat actor emailed company employees, claiming unauthorized access to the company’s information systems.
## Details of the Data Breach
According to Zoomcar’s filing with the U.S. Securities and Exchange Commission (SEC), the breach resulted in unauthorized access to sensitive customer data, including:
- Full name
- Phone number
- Car registration number
- Home address
- Email address
The company emphasized that, based on its preliminary investigation, there is no evidence that users’ financial information, plaintext passwords, or other highly sensitive identifiers were exposed.
## Company Response and Security Measures
Upon discovery, Zoomcar promptly activated its incident response plan, which included:
- Deploying additional safeguards across its cloud and internal networks
- Increasing system monitoring and reviewing access controls
- Engaging third-party cybersecurity experts to assist in the investigation
- Notifying regulatory and law enforcement authorities, and cooperating fully with their inquiries
Zoomcar stated that, to date, the breach has not caused any material disruption to its operations and that it continues to evaluate the scope and potential impact of the incident.
## Regulatory and Legal Implications
Following its 2023 public listing on Nasdaq (ZCAR) after merging with IOAC, Zoomcar must adhere to U.S. financial reporting standards, including reporting cybersecurity incidents to the SEC.
The company’s swift disclosure and ongoing cooperation with authorities reflect these obligations.
## Historical Context
This is not the first time Zoomcar has faced a significant data breach. In 2018, the company suffered a similar incident that exposed the records of over 3.5 million customers, with the compromised data later surfacing on underground marketplaces in 2020.
## Risks and Recommendations for Users
While no financial or password data appears compromised, the exposure of personal information raises concerns about potential identity theft, targeted phishing, and other malicious activities. Security experts recommend that affected users:
- Remain vigilant for suspicious emails, calls, or messages
- Monitor their accounts for unusual activity
- Await further updates and guidance from Zoomcar
The exact method of attack remains undetermined, and no ransomware group has claimed responsibility. Zoomcar continues investigating the incident and has pledged to keep users and stakeholders informed as more information becomes available.
