Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: carnival (2 articles)Clear

Carnival Corporation confirms breach affecting 5,995,277 customers - April 10 social-engineering of employee account, ShinyHunters claimed

Carnival Corporation, the world's largest cruise-line operator with 90+ ships across Carnival, Princess, Holland America, Costa, P&O, Cunard, AIDA, and Seabourn, has confirmed a breach affecting 5,995,277 customers. The intrusion began April 10 when an employee was social-engineered into giving up account credentials; Carnival's IT team detected the unauthorized activity on April 14. ShinyHunters claimed responsibility in April and listed the company on its data leak site. Carnival served around 13.5 million guests in 2024 across its fleet. The company is now notifying affected individuals. The pattern aligns with the broader ShinyHunters SaaS-extortion playbook documented across Charter, Instructure, and others over the past quarter.

Check
If your @company.com domains include former Carnival, Princess, Holland America, Cunard, AIDA, or Seabourn customers, prepare for targeted phishing themed around bookings, refunds, and loyalty programs.
Affected
5,995,277 Carnival customers across nine cruise brands. Initial access via social-engineering an employee account on April 10. Same ShinyHunters playbook as Charter and Instructure.
Fix
Enforce phishing-resistant MFA across cruise/hospitality estate. Train front-line staff against social-engineering for account credentials. Audit Salesforce/Entra exports for bulk-data signals.

Carnival confirms 7.5 million Holland America Mariner Society loyalty records leaked after ShinyHunters refused extortion deadline

Carnival Corporation has been confirmed as a ShinyHunters breach victim, and the data is now public. Have I Been Pwned added the breach on April 23 with 7,531,359 unique email addresses drawn from 8.7 million records. The data comes from the Mariner Society loyalty program operated by Holland America Line, one of Carnival's cruise brands, and contains full names, dates of birth, genders, email addresses, and loyalty program status fields. ShinyHunters initially listed Carnival on its 'pay or leak' portal on April 18 with an April 21 deadline alongside Zara, 7-Eleven, and roughly 40 other organizations. When Carnival did not pay, the group published the dataset on its leak site this week. Carnival confirmed to reporters that the initial access came from a phishing compromise of a single employee account - a reminder that ShinyHunters continues to rely on human-layer intrusion rather than novel exploits. For anyone whose email, date of birth, or customer record appears in the dataset, the immediate risk is highly targeted phishing and account-takeover attempts that reference genuine Holland America booking details.

Check
If your organization has ever done corporate bookings, incentive travel, or employee perks through Holland America, Princess, or other Carnival brands, notify affected staff today and watch for cruise-themed phishing referencing genuine loyalty-program details over the coming weeks.
Affected
Anyone who has a Mariner Society loyalty account with Holland America Line, and by extension anyone who has booked a Holland America cruise through loyalty channels. The exposed fields (name, date of birth, email, gender, loyalty status) are foundational identity data - strong enough to power convincing impersonation, knowledge-based authentication bypass, and targeted spear-phishing.
Fix
Check Have I Been Pwned to confirm whether your address is in the Carnival dataset. If it is, watch for phishing emails pretending to be from Holland America or other Carnival brands that reference your real past bookings or loyalty tier - treat any such message as hostile and navigate to the Holland America site directly rather than clicking links. Rotate passwords on any account that shares a password with Mariner Society. At an organizational level, add 'holland-america.com' and 'hollandamericafund.com' lookalike domains to your DMARC and brand-monitoring watchlists, and brief travel-desk staff that any Mariner Society outreach should be verified by phone.