Cabify Data Breach Exposes 430,000 Driver Identity Documents And Sensitive Personal Records

The Cabify data breach has emerged as one of the most serious identity leaks tied to the European ride hailing sector in recent years. More than 430,000 driver records containing identity documents, license information, addresses, and contact details have allegedly been exposed by a threat actor who began advertising the dataset on a dark web marketplace on November 15, 2025. The seller, operating under the alias “Perro,” claims to possess a complete database of Cabify drivers with extensive personal information typically used for onboarding, verification, and driver account management.

Cabify, accessible at Cabify, is one of Spain’s largest mobility and transportation platforms, with operations extending throughout Latin America and multiple European regions. Due to its regulatory obligations, the company maintains identity, licensing, and background verification documents for every active driver. The presence of such a large, structured identity dataset offered for sale raises major concerns for both regulatory compliance and long term fraud risk.

Background And Discovery Of The Cabify Data Breach

The appearance of the stolen dataset was first identified by threat monitoring analysts who track criminal marketplaces for large scale identity leaks. The listing included several sample records containing full names, usernames, email addresses, phone numbers, complete home addresses, national identity numbers, driver license numbers with issuance and expiration dates, and even social media identifiers such as Facebook account IDs. The structure of the leaked fields indicates that the information most likely originated from an internal identity verification database rather than a user profile system or customer platform.

While Cabify has not publicly confirmed an intrusion, the level of detail in the seller’s samples suggests legitimate identity records rather than fabricated data. Many ride hailing platforms maintain extensive driver verification archives to meet national transportation laws. These archives often include images of identity cards, license details, background check results, and complete personal profiles of drivers. When such data is exposed, it provides threat actors with an extremely powerful set of identity materials that can be leveraged for a range of criminal operations.

Scope Of Stolen Data

Based on the information provided by the threat actor, the Cabify data breach includes fields commonly associated with regulated driver onboarding processes. The stolen dataset allegedly contains:

• Full names of registered drivers
• Email addresses
• Cabify usernames
• National identity card numbers
• Driver license numbers
• Driver license issuance dates
• Driver license expiration dates
• Registered phone numbers
• Complete residential addresses
• Residence city and country
• Facebook account IDs

When identity documents, license records, and residential addresses are exposed together, the resulting risk levels increase significantly. Criminal organizations specializing in identity fraud often combine leaked information with other data sources to fabricate full synthetic identities, create counterfeit license documents, bypass online verification systems, or impersonate individuals in financial and government processes. Because ride hailing companies require government issued identification for driver approval, breaches such as the Cabify data breach are particularly valuable to criminal buyers.

Why The Cabify Data Breach Is Especially Dangerous

Not all data breaches carry the same level of risk. Many incidents involve email addresses or simple account information. The Cabify data breach is far more severe due to the depth and completeness of the exposed identity data. Breaches involving government issued documents represent some of the highest risk categories in cybersecurity because:

• Identity card numbers can be used to commit financial fraud
• Driver license numbers can be used to bypass KYC checks
• Complete residential addresses can assist with impersonation
• Phone numbers facilitate account takeover attempts
• Email addresses allow for targeted phishing campaigns
• Social media IDs can enhance social engineering attacks

Criminal groups often purchase driver identity documents because they provide a full set of verifiable details used in many verification processes. In contrast to customer accounts, driver accounts contain far more thorough identity information, making breaches like this both financially valuable and long lasting in their impact.

Possible Origins Of The Breach

The Cabify data breach may have originated from several potential sources. Analysts examining similar attacks on mobility platforms have noted the following common intrusion vectors:

• Compromised third party identity verification vendors
• Unsecured databases left exposed online
• Compromise of internal employee credentials
• Phishing attacks targeting support or onboarding teams
• Insecure cloud storage environments hosting identity documents
• Vendor breaches involving document processing workflows

Threat actor comments exchanged on the forum do not explicitly state whether the breach occurred at Cabify itself or through a contractor. However, the presence of structured driver verification fields suggests access to a core driver management system or a connected intermediary platform.

Impact On Drivers

For affected drivers, the Cabify data breach could lead to immediate and long term risks. Criminals can use stolen identity documents for:

• Identity theft and fraudulent credit applications
• Creation of fake driver accounts on ride hailing competitors
• Bypassing online verification systems designed to prevent fraud
• Accessing government services illegally
• Impersonating drivers in social engineering attempts
• Targeting individuals at their home address

Many victims of identity based data breaches face repercussions for years due to the slow circulation of identity documents on dark web forums. Even after companies mitigate system vulnerabilities, stolen identity data remains active in underground markets indefinitely, often being resold repeatedly.

Risks For Customers And The Public

While the Cabify data breach primarily involves driver data, customers may also face indirect risks. Criminals often use stolen driver information to craft fraudulent messages, impersonate support teams, or exploit trust relationships between drivers and riders. For example, once attackers know a driver’s real identity and vehicle registration, they can send highly targeted messages referencing real details that increase the likelihood of a victim falling for a scam.

Furthermore, impersonation through stolen identity documents may allow criminals to create new driver accounts. Several ride hailing platforms have previously reported fraud incidents where stolen identities were used to establish accounts that were later involved in illicit activities.

Regulatory And Legal Implications

If confirmed, the Cabify data breach may trigger a series of regulatory obligations under Spanish and European law. The exposure of identity documents, license numbers, and addresses satisfies the criteria for mandatory notification under the General Data Protection Regulation. Organizations operating within the European Union must notify both affected individuals and the relevant regulatory authority when high risk personal data is exposed.

Depending on the origin of the breach, the company may also be required to provide specific remediation steps, free identity monitoring services, or detailed explanations regarding how the incident occurred. In previous EU regulated breaches, failure to notify victims in a timely manner has resulted in significant fines.

Threat Actor Behavior And Motives

The seller “Perro” appears to specialize in high volume identity datasets and has been active on several dark web markets throughout 2025. The nature of the listing indicates that the Cabify data breach is being monetized through direct sale rather than extortion. This distinguishes the incident from ransomware based breaches, where attackers demand payment to prevent the release of stolen data.

In this case, the data is being offered to any buyer. Once purchased, it may appear in additional criminal markets, be used for fraud operations, or surface again in future identity compilation leaks. Because the dataset contains more than 430,000 records, it represents a substantial asset for criminal networks that specialize in identity theft, synthetic identity creation, and financial fraud.

Mitigation Strategies For Affected Drivers

Drivers who suspect they may be affected by the Cabify data breach should consider taking the following immediate steps:

• Monitor banking and financial accounts for unusual activity
• Review national identity services for unauthorized requests
• Update passwords associated with any accounts tied to Cabify
• Enable multifactor authentication on email and social media
• Be alert to suspicious messages claiming to be from Cabify
• Check credit files for new or unauthorized accounts

Victims of identity theft often do not detect fraudulent activity until weeks or months after a breach. Early monitoring and preventative action can significantly reduce the risk of long term damage.

Protective Steps For The General Public

Even individuals who are not drivers may be targeted by attackers using stolen identity data. Criminals may pose as legitimate Cabify drivers or customer support agents using the names, photos, or identity documents of real individuals. Riders should verify any message requesting sensitive information and avoid clicking links that appear suspicious or outside official Cabify communication channels.

Recommended Security Measures

Anyone concerned that their device may have been compromised through phishing or malicious files related to the Cabify data breach should run a complete system scan. Using a trusted tool such as Malwarebytes can help detect threats delivered through fraudulent messages or malicious downloads.

Ongoing Monitoring And Future Updates

The Cabify data breach is still unfolding, and additional leaks or confirmations may appear in the coming days. Analysts continue to track the seller and the dataset to determine whether new samples are published, whether additional Cabify systems are implicated, and whether criminal buyers begin using the stolen data in fraud campaigns.

Readers can follow developing updates on this incident and other large scale breaches in the Data Breaches section and the Cybersecurity category.