Carnival Confirms Data Breach After ShinyHunters Claims Theft of Millions of Records

Carnival Corporation has confirmed a data breach just weeks after the ShinyHunters hacking group claimed it had stolen millions of customer records from the cruise giant.

The company said the incident stemmed from a phishing attack that compromised a single employee account, allowing an unauthorized actor to access part of its internal systems.

According to Carnival, its security team detected the suspicious activity on April 14, 2026, and determined that the attacker had used social engineering to deceive an employee and gain limited access. While the company has not publicly detailed the full scope of the intrusion, ShinyHunters listed Carnival on its “pay or leak” portal four days later and claimed it had obtained data tied to the Mariner Society loyalty program operated by Holland America Line, a Carnival subsidiary.

Have I Been Pwned reported that the leaked dataset allegedly contained 8.7 million records, including 7.5 million unique email addresses, along with names, dates of birth, genders, email addresses, and loyalty status information. However, Carnival’s official filing with Maine regulators states that 5,995,277 individuals were affected.

The company began notifying impacted customers on May 27 and is offering eligible U.S. residents two years of complimentary credit monitoring through TransUnion. Carnival said it has strengthened its security controls in response to the incident, adding new monitoring capabilities and enhancing its defenses to address evolving threats.

The breach adds to a growing list of cybersecurity incidents the company has faced in recent years, raising renewed questions about the resilience of its systems. Carnival said it remains committed to improving its IT security and data privacy posture, but the latest intrusion underscores the ongoing challenges large organizations face as cybercriminals continue to target high‑value consumer data.