Zoomcar has revealed that its system was unauthorized, leading to data breeches affecting 8.4 million users.
The incident was revealed on 9 June, after a threat, an actor emailed the company’s employees to alert a cyber attack.
Although there has been no physical disruption in the services, the company’s internal investigation confirmed that sensitive data related to one of its customers had been compromised.
Zoomcar is an Indian colleague to a colleague car-sharing market, connecting car owners with tenants in emerging markets in Asia, offering small and medium-term vehicles.
The company became a US, listed, delaware, registered public company at the end of 2023, after a merger with an American blank-check firm IOAC, and its shares are now trading in Nasdaq (ZCAR).
Following the US Financial Reporting standards, the company needs the US Securities and Exchange Commission (SEC) reports a report.
“On June 9, 2025, Zoomcar Holdings, Inc. identified a cyber security incident, which includes unauthorized access to the system,” the company said. Informed,
“The company came to know about the incident after some employees received unauthorized access to the company’s data after receiving external communication from a threat actor.”
The results of its preliminary investigation suggest that the following data for 8.4 million customers are exposed to an unauthorized party:
- Full name
- Phone number
- Car registration number
- Home address
- email address
Zoomcar states that there is no evidence of users’ financial information, plaintext password, or any other sensitive data that can lead to identity of individuals.
The company underlined that it is still evaluating the exact scope and potential impact of the security incident.
At this time, the type of attack has not been determined and no ransomware group has taken responsibility for an attack in zoomcar.
Bleepingcomputer has asked Zoomcar about the nature of the incident but we did not get any response.
In 2018, Zoomcar faced another major data breech, highlighting the records of more than 3.5 million customers, including names, emails and IP addresses, phone numbers and passwords stored in the form of BCRPT hash.
That data was eventually Offered for sale On an ineffective market in 2020, exposing zoomic customers to high risks.
Patching meant complex scripts, long and endless fire drills. No more.
In this new guide, the tines break down how it is leveling with modern organ automation. Patch fast, reduce overhead, and focus on strategic tasks – no complex script is required.
