← All articles

Carnival Corporation confirms breach affecting 5,995,277 customers - April 10 social-engineering of employee account, ShinyHunters claimed

Carnival Corporation, the world's largest cruise-line operator with 90+ ships across Carnival, Princess, Holland America, Costa, P&O, Cunard, AIDA, and Seabourn, has confirmed a breach affecting 5,995,277 customers. The intrusion began April 10 when an employee was social-engineered into giving up account credentials; Carnival's IT team detected the unauthorized activity on April 14. ShinyHunters claimed responsibility in April and listed the company on its data leak site. Carnival served around 13.5 million guests in 2024 across its fleet. The company is now notifying affected individuals. The pattern aligns with the broader ShinyHunters SaaS-extortion playbook documented across Charter, Instructure, and others over the past quarter.

Check
If your @company.com domains include former Carnival, Princess, Holland America, Cunard, AIDA, or Seabourn customers, prepare for targeted phishing themed around bookings, refunds, and loyalty programs.
Affected
5,995,277 Carnival customers across nine cruise brands. Initial access via social-engineering an employee account on April 10. Same ShinyHunters playbook as Charter and Instructure.
Fix
Enforce phishing-resistant MFA across cruise/hospitality estate. Train front-line staff against social-engineering for account credentials. Audit Salesforce/Entra exports for bulk-data signals.