A hacker has broken into the private code repositories of Europcar Mobility Group, a major global car rental company, and stolen important information, including app source code and some customer data.
The stolen files reportedly include the code for Europcar’s mobile apps for both Android and iOS. The hacker also managed to get access to database backups and files with sensitive settings from the company’s internal systems. To pressure the company, the hacker threatened to leak around 37GB of this stolen data unless they were paid.
Europcar Mobility Group, which owns brands like Europcar, Goldcar, and Ubeeqo, offers a wide range of vehicles from small city cars to trucks and luxury models. The company operates in over 140 countries across Europe, North America, Asia, and Africa.
In late March, someone claiming responsibility for the breach came forward on a hacking forum, saying they had successfully accessed Europcar’s GitLab repositories — a place where developers store and manage their code. They claimed to have copied over 9,000 database backup files and more than 260 configuration files, some of which contained usernames, passwords, and other internal data.
To prove the hack was real, the person even shared screenshots showing login credentials that were found inside the code. Europcar has confirmed that the breach did happen and is now investigating to understand how much damage was done.
However, not all of the company’s code was stolen. Some parts of their system remained untouched. From what is known so far, the stolen customer data includes names and email addresses from users of Goldcar and Ubeeqo, and it may affect somewhere between 50,000 and 200,000 people — some dating back to 2017 or 2020.
The good news is that more sensitive information like bank details, passwords, or driver’s license numbers was not part of the stolen data. Europcar is now informing customers who were affected and has also reported the incident to the proper data protection authorities.
It’s still unclear how the hacker got into Europcar’s systems. In similar past cases, hackers used login information stolen through malware to break in. This isn’t the first time Europcar has been targeted — last year, someone falsely claimed they had details of 50 million customers. In 2022, a security researcher found a serious mistake in Europcar’s mobile app code that could’ve exposed customer biometric data, though that issue was later fixed.
This latest breach is another reminder of how important it is for companies to secure their systems and avoid leaving sensitive information in code files.
