Europcar GitLab breach exposes up to 200,000 customer records

What happened

A hacker breached the GitLab repositories of Europcar Mobility Group, gaining access to application source code and customer information. The attacker, who threatened to release 37GB of stolen data, attempted to extort the multinational car rental company, which operates brands like Europcar, Goldcar, and Ubeeqo across 140 countries.

The compromised data includes Android and iOS app source code, SQL backups, and application configuration files. The company confirmed the breach and is currently assessing the full scope of the damage.

Going deeper

GitLab is a platform used by developers to store and manage source code. The attacker announced the breach in late March, claiming they had accessed all of Europcar's GitLab repositories. The stolen files reportedly include over 9,000 SQL backups and at least 269 .ENV files, which often contain sensitive environment variables, credentials, and other configuration data.

To validate the breach, the hacker published screenshots showing employee login credentials found in the source code. While Europcar has confirmed the authenticity of the compromise, it clarified that not all source code was taken.

The customer data exposed appears to be limited to names and email addresses of users from Europcar’s Goldcar and Ubeeqo services, some dating back to 2017 and 2020. Estimates suggest that 50,000 to 200,000 individuals may be affected. More sensitive data like banking information, passwords, and biometric details were not part of the breach.

Europcar has begun notifying impacted customers and has reported the incident to the relevant data protection authority. The breach vector remains unclear, though recent trends suggest the possibility of stolen credentials from infostealer malware.

In the know

This isn’t Europcar’s first run-in with cybersecurity concerns. In 2022, researchers discovered an admin token embedded in the company’s mobile app code, an oversight that could have exposed customer biometric data. Then in 2024, Europcar was at the center of a hoax when someone on a hacker forum falsely claimed to have stolen the personal information of nearly 50 million customers, including names, addresses, birth dates, and driver’s license numbers.

The big picture

The Europcar breach shows how source code and configuration files can become valuable targets, especially when they contain embedded credentials or infrastructure insights. While this breach did not expose high-risk personal data like financial or biometric information, the theft of backend code and app data still poses long-term risks for both the company and its users.

FAQs

How can source code leaks impact a company long-term?

Exposed source code can reveal security flaws, business logic, and system architecture—making future attacks easier and potentially undermining customer confidence.

What should customers do if they think their data was compromised?

Customers should be cautious of phishing attempts, monitor their email accounts for suspicious activity, and consider using email protection or two-factor authentication.

How can companies secure their code repositories?

Best practices include enforcing multi-factor authentication, limiting access, scanning for secrets in code, and regularly auditing repository permissions and activity.

What role do regulators play after a data breach?

Regulators may investigate the breach, assess whether data protection laws were violated, and impose fines or corrective measures if necessary.