Recommended reading

Major hack against car-sharing firm Zoomcar sees 8.4 million users at risk

News
By published

Names, email addresses, and phone numbers stolen in brazen attack

Zero-day attack
(Image credit: Shutterstock) (Image credit: Shutterstock.com)
  • Zoomcar filed a new 8-K form with the SEC confirming cyberattack
  • It found out about the attack from the threat actors
  • Over 8 million users could have had their personal data stolen

Car sharing marketplace Zoomcar has suffered a cyberattack in which it lost sensitive information on millions of customers.

In a new 8-K form filed with the US Securities and Exchange Commission (SEC), the company said it was made aware of the attack on June 9, 2025, and a subsequent investigation determined the threat actors managed to steal, “a limited dataset containing certain personal information of a subset of approximately 8.4 million users”.

That includes people’s names, phone numbers, car registration numbers, postal addresses, and email addresses - but at this time, Zoomcar says it has no reason to believe financial information, passwords, or other sensitive identifiers were compromised.

No disruption

Responding to the attack, the company activated its incident response plan, and took “immediate action” to contain the threat.

This was apparently too little too late, though, as the company was actually made aware of the incident by the threat actors themselves.

Zoomcar said they hackers reached out to “certain employees” claiming to have made the breach, suggesting they dwelled on the systems long enough to exfiltrate whatever information they sought.

It wasn’t explained why the attackers reached out to their victims, but it’s safe to assume they demanded payment in exchange for deleting the stolen files. T

he wording of the 8-K filing suggests Zoomcar did not pay any ransom. Instead, it implemented “additional safeguards” across the cloud and internal network, increased system monitoring, and reviewed access controls.

Furthermore, it brought in a third-party cybersecurity expert for further assistance, and notified regulators and the police about the incident.

“To date, the incident has not resulted in any material disruption to the company’s operations,” Zoomcar concluded.

However, the company continues to evaluate the scope and potential impacts of the event, including legal, financial, and reputational considerations, as well as any associated remediation costs.

Via TechCrunch

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.