ShinyHunters breach exposes personal data of 6 million Carnival cruise customers

Carnival Corporation has confirmed a data breach affecting nearly 6 million people, with the cruise giant beginning to notify victims this week after a months-long investigation traced the full scope of the incident.

How the attack happened

The breach began on April 14, 2026, when attackers used social engineering to deceive a Carnival employee into handing over account credentials. With that foothold, the hackers accessed company systems and exfiltrated files containing personal information. Carnival identified the intrusion the same day it occurred, but completing the forensic analysis of every compromised file took until late May — hence notifications only going out now.

According to a filing with the Maine Attorney General's Office, exactly 5,995,277 people are affected. The stolen data varies by individual but typically includes full names, home addresses, email addresses, phone numbers, dates of birth, and government-issued identification numbers such as driver's license and passport numbers.

ShinyHunters published the data after Carnival refused to pay

The extortion group ShinyHunters claimed responsibility in late April and published roughly 8.7 million records on its leak site after Carnival refused to pay. Data breach notification service HaveIBeenPwned analyzed the leaked dataset and found that approximately 7.5 million of those accounts belong to the Mariner Society loyalty program operated by Holland America Line, one of Carnival's cruise brands. The discrepancy between the 8.7 million ShinyHunters claimed and the 5.99 million Carnival officially acknowledges likely reflects deduplication and records tied to non-individuals.

A pattern of repeat breaches

This is not Carnival's first encounter with hackers. The company suffered a breach in 2019, a ransomware attack in 2020, and a third intrusion in March 2021. The recurrence raises serious questions about whether meaningful security improvements were made after those earlier incidents. Social engineering — the same technique used here — has become the dominant initial access vector across the industry, and security experts say companies continue to underinvest in defenses against it.

What affected customers should do

Carnival is offering all 5.99 million affected individuals 24 months of free credit monitoring services. People who received a notification letter should enroll promptly, particularly if their passport or government ID numbers were among the exposed data. Those details, combined with addresses and dates of birth, are exactly what's needed for identity fraud.

ShinyHunters is a prolific threat actor responsible for breaches at dozens of major companies. Their typical playbook involves social engineering an employee, exfiltrating data quietly, demanding ransom, and publishing the data when refused. Carnival's experience this week is a near-identical repeat of what happened at Ticketmaster, AT&T, and other high-profile ShinyHunters targets over the past two years.

The incident was reported to the U.S. Department of Health and Human Services and state attorneys general. Carnival said it has engaged third-party security experts and implemented new monitoring controls, but declined to provide specifics on what changed.