Data Breach Alert: Zoomcar Discloses Cybersecurity Incident Impacting 8.4 Million Users

Zoomcar, the Indian peer-to-peer car-sharing platform, has disclosed a data breach that exposed sensitive customer information of 8.4 million people.

According to a filing with the US Securities and Exchange Commission (SEC), Zoomcar Holdings, Inc. detected unauthorized access to its internal systems after employees received messages from a threat actor. The company launched an investigation, confirming that non-financial personal information of over 8 million users had been compromised, including:

• Full name and phone number
• Car registration number
• Home address and email address

The type of attack, or if the stolen data has been leaked, remains undisclosed for now.

This isn’t the first time Zoomcar has been hit. In 2018, a major breach impacted 3.5 million customers, exposing hashed passwords and contact information. That dataset surfaced on underground marketplaces two years later, placing affected users at increased risk of phishing, identity theft, and fraud.

The latest breach, while not believed to include financial data, still provides valuable information for threat actors looking to build detailed user profiles or carry out targeted attacks.

Even though Zoomcar claims no financial or password data was exposed, the combination of names, addresses, car registration numbers, and phone numbers can be exploited in:

• Phishing attacks impersonating Zoomcar or local services
• Identity verification fraud (example: fake rental listings or insurance scams)
• Targeted social engineering attempts
• Reselling of data on dark web forums

Zoomcar has said it is still assessing the scope of the breach and has not responded to media inquiries about the nature of the incident.

What Can Users Do?

If you’ve ever used Zoomcar, it’s a good idea to take precautions — even if financial data wasn’t exposed:

• Watch out for suspicious emails or SMS messages that appear to come from Zoomcar or local government agencies.
• Avoid clicking on unsolicited links and double-check rental offers or messages referencing your car or personal details.
• Change your password if you reused it elsewhere — even though Zoomcar says passwords weren’t exposed.
• Use a Digital Identity Protection service to monitor for potential misuse of your information.
• Report fraud attempts to local authorities and Zoomcar support.

Bitdefender Digital Identity Protection helps you monitor data leaks and alerts you if your personal details appear on the Dark Web — empowering you to act fast.