ShellCodeX
Tools • Events • News • Insights
ShellCodeX Breach Report

Carnival Data Breach

carnivalcorp.com
Significant exposure
Verified breach
Accounts exposed 7,531,359
Breach date 18 Apr 2026
Added to tracker 24 Apr 2026
Data classes 7

What happened

In April 2026, the notorious hacking collective ShinyHunters claimed they had obtained a substantial volume of data belonging to the Carnival cruise operator and attempted to extort the organisation to prevent the data from being leaked. The following week, the group published the data publicly, which contained 8.7M records with 7.5M unique email addresses. The data contained fields indicating it related to the Mariner Society loyalty program run by Holland America, a cruise line brand under Carnival, and included names, dates of birth, genders and data relating to status within the loyalty program. Carnival acknowledged a phishing incident involving a single user account and advised they were working to better understand the scope of the unauthorised activity.

Exposed data

Dates of birth Email addresses Genders Geographic locations Loyalty program details Names Salutations

Recommended actions

  • Watch for targeted phishing emails referencing Carnival — attackers weaponise breach data quickly.
  • Exposed identity data raises identity-theft risk — consider credit monitoring or a credit freeze.
  • Check whether your email address appears in this breach on haveibeenpwned.com.
Am I affected? Check whether your email address appears in this breach.
Check on HIBP