Last updated 1 month ago
Carnival Corporation, a global cruise operator, suffered a data breach in April 2026 that exposed 7,531,359 unique email addresses from 8.7 million records. The breach was publicly disclosed when the threat actor ShinyHunters published the data after an extortion attempt failed. The compromised data pertained to the Mariner Society loyalty program operated by Holland America, a Carnival brand.
The attack vector was a phishing incident that compromised a single user account, granting unauthorized access to the loyalty program database. The exposed data included names, dates of birth, genders, and loyalty program status details. ShinyHunters, a known hacking collective, claimed responsibility and published the data after Carnival did not meet their extortion demands.
Carnival acknowledged the phishing incident and stated they were working to understand the full scope of the unauthorized activity. No further details on regulatory notifications, litigation, or ransom payments were provided in the article.
Phishing incident involving a single user account
Carnival's breach underscores the critical need for robust phishing-resistant authentication, such as multi-factor authentication (MFA), especially for accounts with access to sensitive customer databases. The compromise of a single user account via phishing led to the exposure of over 7.5 million loyalty program records, indicating insufficient access controls and monitoring. Organizations in the travel sector should implement strict access segmentation and real-time anomaly detection to limit the blast radius of credential theft.
Sign in to join the discussion.
Company
Industry
Location
Disclosed
Records Affected
Attack Vector
Threat Actor
Continent
Country
Industry
Attack Vector
Threat Actor