Carnival: ShinyHunters cruised off with 6M customer records
Jump to main content
REG AD
Cyber-Crime
Carnival confirms ShinyHunters cruised off with 6M customer records after April breach Travel and leisure giant was just one of many victims of the cybercrooks' crime spree this year
Connor Jones Connor Jones
Cybersecurity reporter
Published thu 28 May 2026 // 13:10 UTC
Carnival Corporation - the world's largest cruise operator - has confirmed a digital heist, a month after hacking crew ShinyHunters claimed to have stolen millions of customers' records.The breach, Carnival confirmed, stemmed from an April 14 social engineering attack on an employee, though the company declined to comment on the scale or name ShinyHunters.However, a company filing with the Maine attorney general's office puts the number of affected individuals at just under six million, down from the 8.7 million records previously listed by Have I Been Pwned.
REG AD
Carnival previously acknowledged the phishing attack at the time, but it did not say whether any data had been accessed or stolen.
REG AD
ShinyHunters claimed it lifted terabytes' worth of Carnival records and hinted at a breakdown in negotiations, likely related to the criminal outfit's extortion demands."The company failed to reach an agreement with us despite our incredible patience," ShinyHunters wrote on its data leak site, adding: "They don't care." MORE CONTEXT ShinyHunters claim they have cruise giant Carnival's booty as 7.5M emails surface
'Several dozen' high-value corporations hit by new extortion crew in helpdesk phishing spree
Have I Been Pwned claims Pitney Bowes hit by 8.2M email address leak
Smooth criminals talking their way into cloud environments, Google says
Following a "thorough and time-consuming analysis of the impacted data," Carnival confirmed that names, addresses, email addresses, phone numbers, dates of birth, and state identification numbers were all included in the breach. As is often the case in data theft incidents, individuals will be affected to different degrees, depending on what information they shared with the company.Carnival began sending notifications directly to affected individuals on Wednesday. Those communications include details about how recipients can redeem two years of free credit monitoring services, as is common in US breach notifications, via TransUnion. It closed its message with a promise to improve: "In addition to the comprehensive security measures the company had in place prior to the incident, it has taken steps to further safeguard its systems, including enhancing its security and monitoring controls. "The company will continue to advance its IT security and data privacy controls to stay ahead of an ever-evolving threat landscape." ®
data breach cyber-crime phishing shinyhunters security carnival
REG AD
public sector
ICE to keep an eye on your eyes under $25M biometric scanner deal
And you thought a face recognition app was intrusive?
Security
No fix yet for critical RCE bug in open-source Git service Gogs - exploit module is out
Researcher reported the vuln in March. Maintainers haven't responded to his messages since
PARTNER CONTENT
AI and data sovereignty in Postgres: An answer to the datacenter energy crisis
A billion AI agents walk into a power grid
Legal
23andMe inherits lawsuit over 'disturbing' DNA data breach
California AG claims genetics biz downplayed 2023 mega-leak while paying ransom to attacker
Systems
EU's digital sovereignty boo-boo may be the best thing to ever happen to the project
DIY or die. Just don't let the CIA buy it
software
UCLA seeks pre-litigation resolution with Oracle
Discussion understood to concern delayed SaaS transformation project
MOST POPULAR
AI + ML Google has seriously leaned into AI enshittification lately Security Anthropic to release Mythos-class models to the public Security Disgruntled 0-day hunter 'humiliated' by Microsoft pledges 'bone shattering drop' as Redmond calls cops Operating Systems Linus Torvalds to ‘start being more hardnosed’ about ‘pointless pull requests’ – some of which come from AIs Security Megalodon chums the waters in 5.5K+ GitHub repo poisonings