[wheelguy]

The data includes names, email ids, passwords, mobile numbers and IP addresses. The hacker is offering to sell data of Zoomcar users for $300.

Quote:

Personal data of around 3.5 million Zoomcar users has been up for sale on what is known as the Dark Web since Thursday, according to a cybersecurity consultant.

Dark Web refers to that area of cyberspace where content cannot be searched using normal search engines because it is encrypted.

“The hacker has been privately selling the data for $300 but now he has made it public on the Dark Web,” said Rajshekhar Rajaharia, the cybersecurity consultant who alerted Zoomcar about the hacker’s plan.

Zoomcar competes with other self-drive car rental startups such as Drivezy and Revv. The data breach took place in July 2018, according to the hacker.

Hackers avoid offering the stolen data for sale soon after a breach since that makes it easier for law enforcement officials to track their internet protocol (IP) addresses, Rajaharia said. Selling the data after a year makes it difficult to track the source of the breach. Zoomcar did not reply to an email seeking comment.

Source

[Nissan1180]

The worst consequence is that the driving license will be leaked. It can be used as an identity proof somewhere else.
Also, the breach took place 2 years ago. They are reporting on it now?

[warrioraks]

Quote:

Originally Posted by Nissan1180

The worst consequence is that the driving license will be leaked. It can be used as an identity proof somewhere else.
Also, the breach took place 2 years ago. They are reporting on it now?

I think what the article intends to say is that the breach happened 2 years back but the company was alerted of it now.

Zoomcar has been struggling financially since some time (someone who worked in the company told me). Now they would see even tougher times because of lack of demand.
With this leak, the company has practically hit rock bottom. Infact the news could not have come at a better time for the company. Due to Corona, no one is renting their cars anyways.

[raksrules]

This is a good time to remind everyone here that if you used the same password as on zoomcar on any other websites, you should change them right now.

[Turbanator]

Data of 3.5 million Zoomcar customers up for sale

Looks they messed up their backend just like their Ill-maintained cars.

https://auto.economictimes.indiatime...-sale/75901065

[ashishy]

Quote:

Originally Posted by Turbanator

Data of 3.5 million Zoomcar customers up for sale

Looks they messed up their backend just like their Ill-maintained cars.

https://auto.economictimes.indiatime...-sale/75901065

And this will be swept under the rug instead of addressing the issue like their customer support deals with customer grievances. Their greedy management and leadership needs to do some self introspection. Zoomcar is in a sad state now

[Miyata]

Quote:

Originally Posted by Turbanator

Data of 3.5 million Zoomcar customers up for sale

Such leaks and breaches are likely to further increase owing also to the increased WFH.

Everyone that had/has Zoomcar account should immediately change their password and as is typically recommended have a long (>15 char) convoluted password. I have an account with zoomcar as well although not using any more since very long.

In addition to changing the password, would be also good to enable the two-step authentications.

[Sran]

Yesterday I read about a data leak from a job site. Over 3 crores CV's of Indians are for sale on dark web. A CV has every information on it. Full name, age, address, email, telephone number, birthdate, parents name and educational qualification.

https://www.outlookindia.com/newsscr...report/1844061

50 crores of Facebook users data with email, photo, location and all information was leaked few months ago.

[Rehaan]

I have my doubts everytime "3.5 Million 'WEBSITE-X' passwords" are offered for sale on the dark web.


Most of the times, it's not a data breach. It's marketing.

What?? How?

Imagine this: Some hacker has collected emails, passwords, names, from hundreds of different sources along the years. Could be a when Geocities was breached in 2006 or when you clicked on a phishy link in 2012 and thought you were signing in to see some urgent document Pratik uncle shared with you.

The hacker now has that info, but doesn't really know what to do with it.

It's probably an old username, a very old password, and not much else.

Modern website security will make it a bit of a pain for him to test each of the 3.5 million logins against every bank's netbanking login. It will take forever (they rate-limit these things), chances of a hit are low, you'll probably need an OTP, and so it's probably not worth the effort.

So what does the smart hacker do?

He re-packages his little bundle to get traction & eyeballs. #marketing

"I have 3.5 million addresses & passwords collected over the last 15 years"

...is way less sexy than...

"LEAKED! User data of 3.5 million ZoomCar users"

The latter if timed well will also get tons of press. (eg. recently the Zoom (videoconferencing app) leak -- since that was the hot news, these guys just marketed their data for sale as 'zoom users').

Has anyone bothered to look through the 3.5 Million addresses and verify that they are all actually ZoomCar users? I think not.

If someone bought it, and verified that these 3.5 Million users are in fact NOT all ZoomCar users, is he going to get a refund from the hacker?


A second way this is marketing, is sometimes it's an excellent add-on to a smear campaign.

Ironically, the only people who'd be willing to spend $300 to check if this is true or false are ZoomCar themselves. That comes with it's own moral complications (eg. would you pay someone who stole from you?).


In closing:
- Don't believe every headline you read
- Don't use the same password on more than 1 website

[TejasKinger]

One easy way to check if your account has been compromised in a data breach is by using the website Have I Been Pwned. The site is mostly up to date with details of every new data breach and can tell you if and when your accounts have been compromised.

[vijai]

Ways to be safe in my opinion:
1. Use social login like Google, Facebook, twitter whenever possible
2. Secure your social media accounts with 2fa (2 factor authentication) via either sms or a t-otp app like authy (free for all platforms) and a strong password. This will be only of the few passwords you'd ever have to remember.
3. If social login is not possible, use password manager (I personally recommend bitwarden (free and open-source for all platforms) to generate random password. Bitwarden will help with filling the password anyway. Bitwarden when using their paid subscription (their early plan is so cheap and affordable), checks for passwords you have saved against data breach databases.
4. Secure the password manager with 2fa again.
5. If your password manager comes with t-otp support, do not use it. If at all the password manager is compromised, your 2fa is as good as nothing. Always keep them separate.

Personally, I do not use password managers for high security accounts like my NetBanking. I have my own math algorithm to generate and rotate my passwords for them every 2 months so I do not forget them or reuse the older passwords ever. A overkill may be. But any protection is not the best protection in my opinion.

[girimajiananth]

Quote:

Originally Posted by TejasKinger

One easy way to check if your account has been compromised in a data breach is by using the website Have I Been Pwned. The site is mostly up to date with details of every new data breach and can tell you if and when your accounts have been compromised.

Does it say on which sites the password has been compromised ?

[GTO]

If the claim is true, I can imagine ZoomCar competitors lining up to purchase that data!

Meanwhile, ZoomCar has this to say:

Quote:

Greg Moran, Co-founder & CEO, Zoomcar added

The assertion pertaining to a breach of Zoomcar user’s password data is patently untrue. All Zoomcar data, including user passwords, is encrypted with strong algorithms that make it impossible for anyone to access. Moreover, we have a strict password rotation policy across all our assets along with a robust Akamai security layer. Furthermore, Zoomcar routinely works with external security auditors (including Big 4 audit firms) to ensure our systems & processes remain robust and best-in-class at all times.

Quote:

Originally Posted by warrioraks

Zoomcar has been struggling financially since some time

I heard the same thing. Basically, more than half their target market (i.e. those visiting a new city) has been taken over by Uber / Ola. My source says the lack of funds show in their shoddy fleet quality & management.

Quote:

Originally Posted by girimajiananth

Does it say on which sites the password has been compromised ?

I think that needs a subscription.

[Axe77]

Quote:

Originally Posted by GTO

If the claim is true, I can imagine ZoomCar competitors lining up to purchase that data!

.

Not sure if I agree. If this is indeed hacked / stolen I should hope any competitor would think 10 times before buying it. Any investigation that traces a purchase to a competitor would definitely be bad for them legally as well as reputationally.

[TejasKinger]

Quote:

Originally Posted by girimajiananth

Does it say on which sites the password has been compromised ?

If this is what you mean, then yes. This is what shows up for my email address: