HQ/EMEAFind out how we can help your business
Zoomcar Holdings has confirmed unauthorised access to its system, which resulted in a data breach affecting 8.4 million users.
Based on reports, the cybersecurity issue was discovered on June 9, when a threat actor emailed corporate employees to warn them of a hack. Although there was no significant disruption to services, the company’s internal investigation revealed that sensitive data belonging to a minority of its customers was compromised.
The affected entity is an Indian peer-to-peer car-sharing marketplace that connects car owners with renters in rising Asian countries, specialising in short and medium-term leases.
Following a merger with American blank-check provider IOAC, the company became a US-listed, Delaware-registered public company in late 2023. Its shares are currently traded on the Nasdaq (ZCAR).
According to US financial reporting regulations, the corporation must report the occurrence to the US SEC. Zoomcar Holdings, Inc. said on June 9, 2025, that it had discovered a cybersecurity breach involving illegal access to its computer systems.
Zoomcar became aware of the data breach after getting reports that some of its staff had received unknown messages.
According to investigations, Zoomcar Holdings learned about the incident after some employees received external communications from a threat actor alleging improper access to its data.
Moreover, its preliminary examination reveals that an unauthorised party has compromised the data of 8.4 million clients.
The data breaches included full names, phone numbers, automobile registration numbers, home locations, and email addresses. However, the company says there is no evidence that consumers’ bank information, plaintext passwords, or other highly sensitive identifiers were compromised.
Furthermore, the corporation stated that it is still assessing the full scope of the security breach and its potential consequences.
The sort of assault has yet to be determined, and no ransomware gang has claimed responsibility for the attack against Zoomcar. On the other hand, concerned parties have contacted Zoomcar regarding the nature of the incident, but the company has yet to provide an answer.
This incident is not the company’s first major breach. Another incident in 2018 exposed over 3.5 million customer records, including full names, email addresses, IP addresses, numbers, and passwords stored as bcrypt hashes.
That data was subsequently made available on an underground marketplace in 2020, exposing Zoomcar consumers to increased risks.
