RSS
← All articles
breach
2026-04-23

Carnival confirms 7.5 million Holland America Mariner Society loyalty records leaked after ShinyHunters refused extortion deadline

Carnival Corporation has been confirmed as a ShinyHunters breach victim, and the data is now public. Have I Been Pwned added the breach on April 23 with 7,531,359 unique email addresses drawn from 8.7 million records. The data comes from the Mariner Society loyalty program operated by Holland America Line, one of Carnival's cruise brands, and contains full names, dates of birth, genders, email addresses, and loyalty program status fields. ShinyHunters initially listed Carnival on its 'pay or leak' portal on April 18 with an April 21 deadline alongside Zara, 7-Eleven, and roughly 40 other organizations. When Carnival did not pay, the group published the dataset on its leak site this week. Carnival confirmed to reporters that the initial access came from a phishing compromise of a single employee account - a reminder that ShinyHunters continues to rely on human-layer intrusion rather than novel exploits. For anyone whose email, date of birth, or customer record appears in the dataset, the immediate risk is highly targeted phishing and account-takeover attempts that reference genuine Holland America booking details.

carnivalholland-americashinyhuntersloyalty-breachphishing-riskextortionmariner-society
Check
If your organization has ever done corporate bookings, incentive travel, or employee perks through Holland America, Princess, or other Carnival brands, notify affected staff today and watch for cruise-themed phishing referencing genuine loyalty-program details over the coming weeks.
Affected
Anyone who has a Mariner Society loyalty account with Holland America Line, and by extension anyone who has booked a Holland America cruise through loyalty channels. The exposed fields (name, date of birth, email, gender, loyalty status) are foundational identity data - strong enough to power convincing impersonation, knowledge-based authentication bypass, and targeted spear-phishing.
Fix
Check Have I Been Pwned to confirm whether your address is in the Carnival dataset. If it is, watch for phishing emails pretending to be from Holland America or other Carnival brands that reference your real past bookings or loyalty tier - treat any such message as hostile and navigate to the Holland America site directly rather than clicking links. Rotate passwords on any account that shares a password with Mariner Society. At an organizational level, add 'holland-america.com' and 'hollandamericafund.com' lookalike domains to your DMARC and brand-monitoring watchlists, and brief travel-desk staff that any Mariner Society outreach should be verified by phone.
Related Articles
breachBWH Hotels (Best Western's parent) had attackers in its reservation system for over six months - guests' contact details and stay records exposed across Best Western, WorldHotels, and SureStay brands
breachHave I Been Pwned confirms two more ShinyHunters Salesforce extortion victims this week - financial-software firm Abrigo (711K) and insurer Canada Life (237K)
breachInstructure paid ShinyHunters' ransom to stop the 3.65TB Canvas data leak, and the US Congress launched an inquiry the same day