Zoomcar Hit by Major Data Breach, Affecting 8.4 Million Users

Zoomcar, India’s prominent car-sharing platform, has disclosed a significant data breach affecting approximately 8.4 million of its users. The cybersecurity incident, which came to light on June 9, 2025, involved unauthorized access to the company’s information systems, leading to the compromise of a substantial amount of sensitive personal data. This event underscores the growing challenges in digital security within the mobility sector and highlights the constant threat of cyberattacks.

According to filings with the U.S. Securities and Exchange Commission (SEC), the exposed personal information includes users’ names, phone numbers, car registration numbers, home addresses, and email addresses. Zoomcar, a US-listed public company incorporated in Delaware, was compelled to report the incident in accordance with US financial reporting standards, highlighting the seriousness of the breach. Importantly, the company has stated that there is currently no evidence to suggest that financial data, plaintext passwords, or other highly sensitive identifiers were accessed by the unauthorized third party.

The Breach Discovery and Company’s Swift Response

The Zoomcar data breach was discovered when several company employees received external communications from a threat actor claiming responsibility for the unauthorized access. Upon identifying the intrusion, Zoomcar promptly activated its comprehensive incident response plan.

The company has taken immediate and robust actions to contain the threat and enhance its overall cybersecurity posture. These measures include

• Implementing additional safeguards across its cloud infrastructure and internal network.
• Increasing real-time system monitoring to detect and prevent further unauthorized activity.
• Conducting a thorough review of access controls and administrative privileges.

Furthermore, Zoomcar is actively collaborating with leading third-party cybersecurity experts to conduct a forensic investigation and ascertain the full scope and impact of the incident. The company has also proactively notified relevant regulatory and law enforcement authorities, pledging full cooperation with ongoing inquiries. While the exact method of the attack has not been publicly detailed, preliminary findings indicate a targeted breach. Some reports also suggest the threat actor may be attempting to extort the company.

A History of Security Challenges

This is not the first time Zoomcar has faced a significant security incident. In 2018, the platform experienced another major data breach that affected over 3.5 million user records, which later appeared for sale on underground forums. This history underscores the ongoing challenges companies face in maintaining impenetrable digital defenses against evolving cyber threats.

Despite the current security setback, Zoomcar, which operates in 99 cities across India, Egypt, Indonesia, and Vietnam, maintains that the breach has not materially impacted its operational stability. The company continues to evaluate the potential legal, financial, and reputational ramifications, alongside any associated remediation costs. As investigations continue, affected users and the wider public await further updates on the resolution of this substantial Zoomcar data leak.

Implications for Users and the Industry

For the 8.4 million affected users, this breach serves as a critical reminder to remain vigilant against potential follow-up attacks. Users are strongly advised to:

• Be wary of phishing attempts or suspicious communications that might leverage their exposed personal information. Enable multi-factor authentication (MFA) on all their online accounts, if not already done and monitor their accounts for any unusual activity.

This incident also shines a spotlight on the broader data security landscape for car-sharing platforms and online services in India and globally. As more personal data is digitized, the responsibility of companies to protect this information becomes paramount. Regulatory bodies, including India’s CERT-In and in light of the upcoming Digital Personal Data Protection Act (DPDPA), are increasingly scrutinizing how organizations handle user data and respond to breaches.