Cabify is reviewing claims that a threat actor obtained a database containing detailed information about hundreds of thousands of its drivers. A user known as Perro posted samples on an online forum and offered the full dataset for sale. The samples appear to include full names, home addresses, phone numbers, email addresses, and identifiers linked to Facebook Account Kit. Researchers who examined the material say the structure of the data is consistent with information collected during driver onboarding.
Cabify, headquartered in Madrid and operating across Spain and Latin America, has not confirmed whether its systems or those of a third party were compromised. The company has also not commented on when the alleged data was obtained or whether it relates to current or former drivers. Analysts note that the leaked fields suggest the source could be a registration or identity verification system rather than routine support data. Driver onboarding commonly involves collecting personal and contact information, along with social media or platform identifiers used for authentication.
The nature of the exposed data raises concerns because the records include multiple pieces of personal information that can be combined to impersonate drivers or target them with fraudulent messages. Addresses, phone numbers, and email information can be used for social engineering. Social media identifiers could enable criminals to link online accounts to real-world profiles, boosting the credibility of targeted scams. Security specialists say that datasets of this size are attractive to threat actors because they offer broad opportunities for identity-based attacks.
Regulatory considerations also come into focus. If the data is confirmed to be genuine and sourced from Cabify’s systems, the company would be required to assess notification obligations under European privacy law. The General Data Protection Regulation requires organisations to notify regulators and affected individuals when exposed information creates a risk of harm. Personal details such as residential addresses and contact information are considered sensitive when linked to an identifiable individual. Companies operating across multiple regions must also coordinate with regional authorities if the data involves drivers outside the European Union.
The incident highlights the cybersecurity challenges faced by mobility platforms that manage large volumes of identity information. Driver registration systems handle government-issued identification, background screening documents, and detailed contact information that can remain valuable to criminals long after it is collected. These platforms may not always have the same level of security investment as financial institutions, despite holding equally sensitive data. Analysts say that leaked onboarding records often continue to circulate on underground forums even after initial sales, leading to long-term exposure for affected individuals.
Cabify has not provided a timeline for its internal review. Security researchers recommend that drivers who have shared information with the company remain alert to messages requesting personal data, unexpected verification prompts, or changes to account details. They also advise monitoring financial and identity accounts for unusual activity while the company investigates the claim.