Zoomcar data breach exposes info of 8.4M users—names, contacts, car details. No financial data leaked ongoing investigation

Continue reading
Zoomcar Holdings, a leading peer-to-peer car-sharing marketplace operating across India and emerging Asian markets, has disclosed a significant data breach affecting approximately 8.4 million users.
The incident, identified on June 9, 2025, was detected after a threat actor emailed company employees, claiming unauthorized access to the company’s information systems.
According to Zoomcar’s filing with the U.S. Securities and Exchange Commission (SEC), the breach resulted in unauthorized access to sensitive customer data, including:
The company emphasized that, based on its preliminary investigation, there is no evidence that users’ financial information, plaintext passwords, or other highly sensitive identifiers were exposed.
Upon discovery, Zoomcar promptly activated its incident response plan, which included:
Zoomcar stated that, to date, the breach has not caused any material disruption to its operations and that it continues to evaluate the scope and potential impact of the incident.
Following its 2023 public listing on Nasdaq (ZCAR) after merging with IOAC, Zoomcar must adhere to U.S. financial reporting standards, including reporting cybersecurity incidents to the SEC. The company’s swift disclosure and ongoing cooperation with authorities reflect these obligations.
This is not the first time Zoomcar has faced a significant data breach. In 2018, the company suffered a similar incident that exposed the records of over 3.5 million customers, with the compromised data later surfacing on underground marketplaces in 2020.
While no financial or password data appears compromised, the exposure of personal information raises concerns about potential identity theft, targeted phishing, and other malicious activities. Security experts recommend that affected users:
The exact method of attack remains undetermined, and no ransomware group has claimed responsibility. Zoomcar continues investigating the incident and has pledged to keep users and stakeholders informed as more information becomes available.

U.S. Army recruiting pages hijacked to display fake 404 errors reading ‘Kurdistan’, exploiting a third-party tool and exposing .mil web security gaps.