8.4 million users affected by Zoomcar breach

Zoomcar breach exposes data of 8.4 million users

India-based car-sharing platform Zoomcar has confirmed a significant data breach that exposed the personal data of 8.4 million users. A hacker gained access to sensitive information, including names, phone numbers and car registration numbers. Zoomcar, founded in 2013 and headquartered in Bengaluru, operates as a car-sharing marketplace across India.

The company serves customers in 99 cities and allows users to rent vehicles on flexible terms, including monthly, weekly, daily and hourly plans. The breach, which occurred in early June, has raised serious concerns about Zoomcar’s cybersecurity posture and its protection of user data.

Large-scale exposure in the mobility sector

Cybersecurity researchers report that the compromised data includes full names, phone numbers, email addresses, IP addresses and device information. While Zoomcar states that no payment details or government-issued identification were included in the breach, the amount of exposed data still presents significant risk.

The breach came to light when a threat actor listed the stolen data for sale on a hacking forum. The post included samples of the database, which security analysts later confirmed to be legitimate.

Zoomcar became aware of the incident after some employees received suspicious external messages. These communications from the attacker prompted an internal investigation, leading to the discovery of unauthorized access.

This incident is reminiscent of other breaches involving third-party systems. For example, in the WK Kellogg breach, attackers exploited vulnerabilities in a vendor’s system to access employee data. These cases highlight the increasing threat posed by supply chain exposures.

Zoomcar’s response

Zoomcar acknowledged the breach and initiated an internal investigation. The company activated its incident response protocols, reviewed access controls and increased system monitoring across its internal infrastructure. Additional safeguards were introduced to protect user data and ensure operational resilience.

Although the company has not shared the exact method of the breach, it confirmed that a third-party system storing customer data was involved. Zoomcar says it has reported the incident to the relevant authorities and is cooperating fully with external cybersecurity experts to further investigate the breach and improve its defences.

However, the delay in publicly disclosing the incident has attracted criticism from users and cybersecurity professionals, who emphasise the importance of transparency and timely communication following a breach of this scale.

Similar concerns were raised during the adidas data breach, where a third-party vulnerability led to exposure of customer data. These patterns show how dependent even large brands are on the security practices of their vendors.

What users should know

Even though financial data and passwords do not appear to have been compromised, the leaked personal information is still valuable to cybercriminals. Threat actors can use names, phone numbers and email addresses to carry out phishing attacks, impersonate legitimate companies or attempt identity fraud.

Users are advised to stay vigilant. Avoid clicking on unsolicited links, enable multi-factor authentication on all accounts, and monitor for suspicious emails or messages. Taking basic precautions can help reduce the risk of further exploitation.

Cybersecurity risks in the car-sharing industry

This breach highlights the growing vulnerability of digital platforms in the transportation and mobility sector. As these services collect more data to enhance the user experience, they must also take on greater responsibility for securing that data.

Trust is essential in tech-enabled industries, especially where users rely on platforms to manage travel, identity and payments. A breach like this can damage user confidence and harm a company’s reputation long after the incident has been contained.

Companies looking to protect themselves from similar incidents can benefit from reading Moxso’s guide on preventing third-party data breaches, which outlines concrete steps to evaluate and secure vendor relationships.

Next steps for affected users

If you are among the 8.4 million affected Zoomcar users, it is important to act quickly. Enable two-factor authentication on your Zoomcar account and any other services using the same login credentials. Review your bank and credit card statements for suspicious transactions, and report anything unusual to your financial institution.

Be cautious of any messages requesting sensitive information or linking to unfamiliar websites, as these could be phishing attempts. You may also consider enrolling in a credit monitoring service to receive alerts about changes to your credit report.

Zoomcar has contacted affected users and is cooperating with regulators and law enforcement agencies. The company is also working with third-party cybersecurity firms to assess the breach and improve its internal systems.

A reminder of what is at stake

The Zoomcar incident serves as a reminder that cybersecurity must be a core focus for any digital business. Preventive measures such as data encryption, strict access controls and regular security audits are essential to protect user information.

As the investigation continues, the case highlights the importance of proactive security and clear communication in an increasingly data-driven world.