Zoomcar discloses security breach impacting 8.4 million users

Zoomcar Holdings (Zoomcar) has disclosed that unauthorized accessed its system led to a data breach impacting 8.4 million users.

The incident was detected on June 9, after a threat actor emailed company employees alerting them of a cyberattack.

Although there has been no material disruption to services, the company’s internal investigation confirmed that sensitive data belonging to a subset of its customers has been compromised.

Zoomcar is an Indian peer-to-peer car-sharing marketplace that connects car owners with renters across emerging markets in Asia, offering short and medium-term vehicle rentals.

The company became a U.S.‑listed, Delaware‑registered public company in late 2023, following a merger with an American blank-check firm IOAC, and its shares are now traded in Nasdaq (ZCAR).

Adhering to U.S. financial reporting standards, the company is required report the incident to the U.S. Securities and Exchange Commission (SEC). 

“On June 9, 2025, Zoomcar Holdings, Inc. identified a cybersecurity incident involving unauthorized access to its information systems,” the company informs.

“The Company became aware of the incident after certain employees received external communications from a threat actor alleging unauthorized access to Company data.”

The results of its preliminary investigation show that the following data for 8.4 million customers has been exposed to an unauthorized party:

• Full name
• Phone number
• Car registration number
• Home address
• Email address

Zoomcar says that there is no evidence of exposing users’ financial information, plaintext passwords, or any other sensitive data that could lead to the identification of individuals.

The company underlined that it is still evaluating of the exact scope and potential impact of the security incident.

At this time, the type of the attack hasn’t been determined and no ransomware group has assumed responsibility for the attack at Zoomcar.

BleepingComputer has asked Zoomcar about the nature of the incident but we received no response.

In 2018, Zoomcar suffered another major data breach that exposed records of more than 3.5 million customers, including names, email and IP addresses, phone numbers, and passwords stored as bcrypt hashes.

That data was eventually offered for sale on an undeground marketplace in 2020, exposing Zoomcar customers to elevated risks.