According to the major Japanese car brand, the incident was detected in December 2025 and resulted from threat actors exploiting a warehouse management system vulnerability.
The system in question related to parts it sourced from Thailand, and the incident saw the hackers access 692 records, none of which were customer data.
“The internal investigation conducted in cooperation with an external specialist organisation confirmed that security vulnerabilities in the system were exploited, resulting in unauthorised access to a portion of the information stored in the system,” said Mazda earlier this month.
According to the listing, data pertained to Mazda and group company employees as well as business partners. Data included names, email addresses, company names, user IDs and business partner IDs.
Mazda said that as a result of the incident, it is possible that some data has been exposed.
“Currently, no secondary harm has been confirmed. However, there is a possibility that the exposed personal information could be misused in the future, such as for phishing scams or spam emails. If you receive any suspicious communications, please exercise caution,” it said.
Mazda has warned people not to open suspicious emails or messages that claim to be from the company, as well as not to click any links or attachments.
It also said it has reported the incident to the Personal Information Protection Commission and bolstered its cyber security alongside the incident.
“Based on the investigation results, the company has revised the system to minimise internet communication in order to prevent unauthorised external access. In addition, it is restricting access sources, promptly applying security patches, and strengthening access monitoring to establish a framework for the early detection of suspicious activities,” Mazda added.
“Mazda will continue to work towards further strengthening information security measures, including those for similar systems, to prevent recurrence.”
While a recent threat listing relating to Mazda has not been identified by Cyber Daily, BleepingComputer noted that the Cl0p ransomware gang claimed a cyber incident on both Mazda and its US subsidiary in November 2025, listing the websites for both.
Cl0p’s listing for Mazda is currently inaccessible.
Who is Cl0p?
Cl0p – also known as Clop – is well known for taking advantage of vulnerabilities in popular third-party software platforms.
Cyber security firm Mandiant first warned of a “high-volume” extortion campaign linked to Cl0p in early October, after it was revealed that the hackers had been emailing executives to pressure them to pay ransoms or have their data published.
“Mandiant and Google Threat Intelligence Group are actively tracking recent activity involving an actor claiming affiliation with the Cl0p extortion group,” Charles Carmakal, CTO at Mandiant – Google Cloud, said in October.
“We are currently observing a high-volume email campaign being launched from hundreds of compromised accounts, and our initial analysis confirms that at least one of these accounts has been previously associated with activity from FIN11, a long-running, financially motivated threat group known for deploying ransomware and engaging in extortion.
“The malicious emails contain contact information, and we’ve verified that the two specific contact addresses provided are also publicly listed on the Cl0p data leak site (DLS),” Carmakal said.
To date, Cl0p has claimed over 1,100 victims since it first emerged in March 2020.
