8.4m affected in Indian ridesharing company data breach

A data breach of an Indian car rental and ridesharing company has exposed the data of millions of users after an unauthorised user gained access.

ZoomCar is an Indian peer-to-peer car-sharing company that allows car owners to list their vehicles for short- and medium-term rental. It operates in multiple markets in Asia and became a US-listed public company after it merged with Innovative International Acquisition Corp (IOAC) in late 2023.

Being a US listed company, it was required to disclose the cyber incident to the US Securities and Exchange Commission (SEC).

You’re out of free articles for this month

Username or Email

Password Forgot password?

Keep me signed in on this device.

First Name

Last Name

Mobile

Organisation Type

By becoming a member, I agree to receive information and promotional messages from Cyber Daily. I can opt out of these communications at any time. For more information, please visit our Privacy Statement.

Need help signing up? Visit the Help Centre.

“On June 9, 2025, Zoomcar Holdings, Inc. (the ‘company’) identified a cyber security incident involving unauthorised access to its information systems,” the company said in an SEC filing.

“The company became aware of the incident after certain employees received external communications from a threat actor alleging unauthorised access to company data. Upon discovery, the company promptly activated its incident response plan.”

Based on its initial investigation, ZoomCar said the threat actor accessed a “limited dataset containing certain personal information of a subset of approximately 8.4 million users, including names, phone numbers, car registration numbers, personal addresses and email addresses associated with such users”.

“At this time, there is no evidence that financial information, plaintext passwords, or other sensitive identifiers were compromised,” it said.

VIEW ALL

ZoomCar said it is still investigating and has not yet determined the nature or full impact of the incident.

Cyber Daily has not observed any threat actors or ransomware groups claiming responsibility for the attack.

This is the second cyber incident that ZoomCar has suffered after it was breached in 2018.

In the earlier incident, the data of over 3.5 million individuals was exposed, including names, emails, phone numbers, IP addresses and passwords stored as bcrypt hashes.

The data was then listed for sale in 2020 on a cyber crime marketplace. It is unclear if it was sold.

Daniel Croft

Born in the heart of Western Sydney, Daniel Croft is a passionate journalist with an understanding for and experience writing in the technology space. Having studied at Macquarie University, he joined Momentum Media in 2022, writing across a number of publications including Australian Aviation, Cyber Security Connect and Defence Connect. Outside of writing, Daniel has a keen interest in music, and spends his time playing in bands around Sydney.

You need to be a member to post comments. Become a member for free today!

newsletter

Be the first to hear the latest developments in the cyber industry.

8.4m affected in Indian ridesharing company data breach

Daniel Croft

OUR PLATFORMS AND BRANDS

EVENTS AND SUMMITS

PODCASTS

LEARNING AND EDUCATION

MOMENTUM MARKETS NETWORK

LINKS

STAY CONNECTED