Zoomcar Holdings, a peer-to-peer car-sharing marketplace, has disclosed that unauthorized accessed its system led to a data breach impacting 8.4 million users.
On June 9, 2025, Zoomcar Holdings, Inc. (the “Company”) identified a cybersecurity incident involving unauthorized access to its information systems. The Company became aware of the incident after certain employees received external communications from a threat actor alleging unauthorized access to Company data. Upon discovery, the Company promptly activated its incident response plan.
Based on preliminary findings, the Company determined that an unauthorized third party accessed a limited dataset containing certain personal information of a subset of approximately 8.4 million users, including names, phone numbers, car registration numbers, personal addresses and email addresses associated with such users. At this time, there is no evidence that financial information, plaintext passwords, or other sensitive identifiers were compromised.
In response to the incident, the Company has taken immediate actions to contain the threat and enhance its security posture. These measures include implementing additional safeguards across the cloud and internal network, increasing system monitoring, and reviewing access controls. The Company is also engaging with third-party cybersecurity experts to further assist with the investigation. The Company has also notified the appropriate regulatory and law enforcement authorities and is cooperating fully with their inquiries.
To date, the incident has not resulted in any material disruption to the Company’s operations. However, the Company continues to evaluate the scope and potential impacts of the event, including legal, financial, and reputational considerations, as well as any associated remediation costs.
Paul Bischoff, Consumer Privacy Advocate at Comparitech:
“Although this was a large breach, the information compromised does not pose a direct threat to victims’ accounts or finances. Victims should be on the lookout for targeted phishing messages and scams via text and email. Those messages might pretend to be from Zoomcar or a related company. Never click on links or attachments in unsolicited emails and texts.”
Chris Hauk, Consumer Privacy Champion at Pixel Privacy:
“First of all, bravo to Zoomcar for quickly alerting the public to the breach. Luckily, no credit card, debit card, or other financial information was exposed in the breach. However, Zoomcar customers do need to stay alert for any attempts to open new accounts in their name and to especially stay alert for phishing attempts where bad actors use the information they were able to obtain to pry more information from customers that can be used to breach accounts.”
Roger Grimes, Data-Driven Defense Evangelist at KnowBe4:
“Everyone’s information, including the information taken by the Zoomcar theft, has been stolen multiple times over the years. I’m not sure how valuable it is to cybercriminals in either use or in selling, but the top risk scenario is some sort of phishing scam where someone fraudulently posing as Zoomcar tries to use the potential victim’s relationship with Zoomcar as a means to further compromise the victim. And for sure, scammers with information like that are more likely to be successful than with just sending out a generic phish with no “insider information.” Zoomcar customers need to pay attention to the breach announcement and use increased caution anytime someone supposedly from Zoomcar reaches out to them. History is replete with previous examples of compromised information being used to successfully phish the involved customers at a later date.”
Another day, another breach that may affect millions. Welcome to the new normal where some company getting pwned will result eventually in something bad happening to you. That’s not good and seriously needs to change.
But at least Zoomcar admitted to it quickly….. I guess.
Related
This entry was posted on June 16, 2025 at 1:27 pm and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Zoomcar Gets Pwned… But At Least They Admitted To It Quickly
Zoomcar Holdings, a peer-to-peer car-sharing marketplace, has disclosed that unauthorized accessed its system led to a data breach impacting 8.4 million users.
On June 9, 2025, Zoomcar Holdings, Inc. (the “Company”) identified a cybersecurity incident involving unauthorized access to its information systems. The Company became aware of the incident after certain employees received external communications from a threat actor alleging unauthorized access to Company data. Upon discovery, the Company promptly activated its incident response plan.
Based on preliminary findings, the Company determined that an unauthorized third party accessed a limited dataset containing certain personal information of a subset of approximately 8.4 million users, including names, phone numbers, car registration numbers, personal addresses and email addresses associated with such users. At this time, there is no evidence that financial information, plaintext passwords, or other sensitive identifiers were compromised.
In response to the incident, the Company has taken immediate actions to contain the threat and enhance its security posture. These measures include implementing additional safeguards across the cloud and internal network, increasing system monitoring, and reviewing access controls. The Company is also engaging with third-party cybersecurity experts to further assist with the investigation. The Company has also notified the appropriate regulatory and law enforcement authorities and is cooperating fully with their inquiries.
To date, the incident has not resulted in any material disruption to the Company’s operations. However, the Company continues to evaluate the scope and potential impacts of the event, including legal, financial, and reputational considerations, as well as any associated remediation costs.
Paul Bischoff, Consumer Privacy Advocate at Comparitech:
“Although this was a large breach, the information compromised does not pose a direct threat to victims’ accounts or finances. Victims should be on the lookout for targeted phishing messages and scams via text and email. Those messages might pretend to be from Zoomcar or a related company. Never click on links or attachments in unsolicited emails and texts.”
Chris Hauk, Consumer Privacy Champion at Pixel Privacy:
“First of all, bravo to Zoomcar for quickly alerting the public to the breach. Luckily, no credit card, debit card, or other financial information was exposed in the breach. However, Zoomcar customers do need to stay alert for any attempts to open new accounts in their name and to especially stay alert for phishing attempts where bad actors use the information they were able to obtain to pry more information from customers that can be used to breach accounts.”
Roger Grimes, Data-Driven Defense Evangelist at KnowBe4:
“Everyone’s information, including the information taken by the Zoomcar theft, has been stolen multiple times over the years. I’m not sure how valuable it is to cybercriminals in either use or in selling, but the top risk scenario is some sort of phishing scam where someone fraudulently posing as Zoomcar tries to use the potential victim’s relationship with Zoomcar as a means to further compromise the victim. And for sure, scammers with information like that are more likely to be successful than with just sending out a generic phish with no “insider information.” Zoomcar customers need to pay attention to the breach announcement and use increased caution anytime someone supposedly from Zoomcar reaches out to them. History is replete with previous examples of compromised information being used to successfully phish the involved customers at a later date.”
Another day, another breach that may affect millions. Welcome to the new normal where some company getting pwned will result eventually in something bad happening to you. That’s not good and seriously needs to change.
But at least Zoomcar admitted to it quickly….. I guess.
Share this:
Like this:
Related
This entry was posted on June 16, 2025 at 1:27 pm and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.