Škoda Discloses Customer Data Breach After Online Shop Hack
Škoda Auto disclosed a data breach after attackers exploited a vulnerability in its e-commerce portal, stealing customer names, addresses, and password hashes.
Executive Summary
Škoda Auto, the Czech carmaker and wholly owned subsidiary of the Volkswagen Group, disclosed a data breach on May 12, 2026, after attackers exploited an unspecified vulnerability in its online shop's software. The breach exposed customer personal information including names, addresses, email addresses, phone numbers, order details, and password hashes. Škoda stated that full credit card details were not compromised as they are processed exclusively by third-party payment providers. The company has fixed the vulnerability and reported the incident to data protection authorities.
Technical Analysis
According to Škoda's disclosure, threat actors gained unauthorized access to the e-commerce portal by exploiting a vulnerability in the standard software powering the online store. The company did not identify the specific software or CVE ID associated with the flaw. After detecting the intrusion through its technical security monitoring, Škoda engaged a specialized IT forensics team to analyze the incident.
The stolen data includes a combination of personally identifiable information (PII) and authentication credentials. Specifically, attackers accessed names, addresses, contact information, phone numbers, order records, and login credentials consisting of email addresses and cryptographic password hashes. Škoda confirmed that financial information was not stored on the compromised systems, limiting the exposure to payment data.
The company stated it has no evidence that the accessed data has been misused so far, but warned affected customers about potential phishing attacks targeting their relationship with Škoda. The carmaker also advised customers who reused passwords across multiple online accounts to change those credentials, as attackers may attempt credential stuffing attacks using the stolen password hashes.
Škoda's announcement follows a pattern of cyber incidents targeting automotive manufacturers. In October 2025, Renault and Dacia disclosed a data breach affecting UK customers that exposed vehicle identification numbers and registration data. In September 2025, Jaguar Land Rover suffered a cyberattack that caused a 43% decline in third-quarter wholesale volumes and cost the company over $220 million due to production and retail disruptions.
Mitigations & Recommendations
Škoda has resolved the exploited vulnerability and reported the incident to the relevant data protection supervisory authority. Affected customers should remain vigilant against phishing emails, text messages, or phone calls referencing their relationship with Škoda or orders placed in the online store. The company advises against clicking links or entering login credentials in response to unsolicited communications. Customers should monitor bank statements and credit card bills for unusual activity and notify their bank or payment provider if anything suspicious appears. For users who reused their Škoda online shop password on other accounts, changing those passwords immediately is recommended to prevent credential stuffing attacks.
Stay Updated
Get the latest cybersecurity news delivered to your inbox.
