Indian car-sharing service Zoomcar has confirmed a major data breach after a cyberattack that affected 8.4 million users. The incident is under investigation, but it is already known that the attackers got hold of the names, addresses, license plates and other personal data of customers.
The breach was discovered on June 9, 2025, when an unknown hacker wrote directly to Zoomcar employees, reporting unauthorized access to the company’s system. An internal investigation was immediately launched, which confirmed the leak of personal data.
Compromised data:
Full name
Phone number
Vehicle registration number
Home address
At the same time, the company assures that banking details, passwords in plain text and critically sensitive information were not stolen.
Zoomcar has already filed with the U.S. Securities and Exchange Commission (SEC) under U.S. reporting standards, as the company is set to go public after merging with IOAC in 2023 and trade on NASDAQ under the ticker ZCAR. In 2018, 3.5 million user accounts were compromised, with data later appearing on darknet sites. The leak included email addresses, IP addresses, phone numbers and hashed passwords.
Zoomcar has not yet commented on a possible ransom demand or involvement in the attack by a group of attackers. Despite the lack of an apparent service outage, the scale of the leak poses reputational risks and calls into question the company’s commitment to protecting data globally. The incident also highlights the vulnerability of sharing platforms in countries where technology markets are evolving rapidly and cybersecurity often lags behind.
22 
25 
21 