Carnival Data Breach: ShinyHunters Expose 6M Records Including Passports

ShinyHunters — the data extortion group (a financially motivated cybercriminal collective known for stealing large datasets from cloud environments and demanding ransom before publishing them publicly) responsible for the 2024 Ticketmaster and Santander breaches — has confirmed the theft of personal data belonging to approximately 5,995,277 Carnival Corporation customers, including passport numbers and government-issued identification data, following an April 10, 2026 intrusion into the cruise giant's systems. Carnival began sending formal breach notification letters on May 27, 2026, offering 24 months of free credit monitoring. Three class action lawsuits have already been filed in U.S. federal court.

// 01 Carnival Data Breach: What Was Stolen

According to Carnival's official breach notification and forensic investigation findings, attackers gained unauthorised access to systems containing the following categories of personal information:

• Full names
• Email addresses
• Postal addresses (physical mailing addresses)
• Phone numbers
• Dates of birth
• Government-issued identification numbers — specifically confirmed to include passport numbers and state driver's licence numbers
• Loyalty programme data (including Holland America Line's Mariner Society membership details)

Financial data — including payment card numbers and banking information — was not confirmed as part of the stolen dataset. However, the presence of passport numbers significantly elevates the identity theft risk: unlike credit card numbers, passports cannot be remotely cancelled, and passport data can be used for fraudulent visa applications, travel document forgery, and identity impersonation schemes that are difficult to reverse.

ShinyHunters claimed to have exfiltrated 8.7 million records containing approximately 7.5 million unique email addresses. Carnival's official notification figure of 5,995,277 affected individuals reflects confirmed U.S. resident victims; the gap likely represents international customers and duplicate records in ShinyHunters' dataset. After Carnival did not engage with the extortion demand, ShinyHunters published the full dataset publicly, making the data available to any downstream criminal actor.

// 02 Breach Timeline

// 03 Exploitation Status and Threat Landscape

ShinyHunters is a prolific and financially motivated data extortion group that uses a decentralised, franchise-like operational model — making law enforcement disruptions difficult even after individual members are arrested. The group first appeared in May 2020 and has since breached dozens of major organisations by targeting cloud applications and SaaS platforms, typically using stolen session tokens or phished credentials to gain access without exploiting software vulnerabilities.

Their recent operational tempo is alarming: in May 2026 alone, ShinyHunters was linked to the Carnival breach, a Canvas LMS intrusion affecting 275 million users across 8,809 institutions, and a coordinated data dump affecting Mytheresa, Zara, 7-Eleven, Pitney Bowes, and over 40 additional organisations. Previous major victims include Ticketmaster (2024), Santander Bank (2024), and SoundCloud (December 2025, 29.8 million accounts).

The group's August 2025 attack on Salesforce — stealing OAuth tokens affecting 760 customer instances — is particularly relevant context for the Carnival breach. ShinyHunters has demonstrated a capability to extract valid authentication tokens from cloud environments and use them to pivot laterally across connected applications, suggesting that the initial Carnival compromise may have leveraged a similar credential or token theft technique rather than a software exploitation vector.

// 04 Who Is Affected

All nine of Carnival Corporation's cruise line brands are potentially affected, as the company operates a shared corporate infrastructure:

• Carnival Cruise Line
• Princess Cruises
• Holland America Line (Mariner Society loyalty programme data confirmed exposed)
• Costa Cruises
• AIDA Cruises
• Cunard Line
• Seabourn Cruises
• P&O Cruises (UK)
• P&O Cruises Australia

Customers who booked cruises, created accounts, or enrolled in loyalty programmes with any of these brands and provided passport information during booking or check-in are at elevated risk. The data exposure window likely extends back several years, as travel companies retain booking records and passport copies for regulatory compliance purposes.

// 05 What You Should Do Right Now

• Enroll in the free credit monitoring offer immediately. Carnival is providing 24 months of TransUnion single-bureau credit monitoring through mytrueidentity.com. You need the activation code from Carnival's notification letter. Enroll as soon as you receive it — the offer window is time-limited.

• Place a credit freeze with all three major bureaus. A credit freeze (distinct from a fraud alert) prevents new credit accounts from being opened in your name without your explicit authorisation. Contact Equifax (equifax.com/personal/credit-report-services), Experian (experian.com/help), and TransUnion (transunion.com/credit-freeze). This is free under U.S. federal law.

• Monitor for fraudulent passport usage. If your passport number was included in the breach, report it to the U.S. State Department's Passport Fraud Hotline (1-877-487-2778) and request a "lost or stolen" flag on your passport record. Consider applying for a replacement passport with a new number.

• Watch for targeted phishing using your personal data. ShinyHunters' datasets are actively used by downstream criminals for spearphishing campaigns. Attackers who know your name, address, date of birth, and email address can craft highly convincing impersonation emails. Be sceptical of any unsolicited communication appearing to come from Carnival, your bank, or government agencies.

• Change passwords for Carnival accounts and any reused credentials. If you used the same password for your Carnival account and other services, change it everywhere. Enable MFA (multi-factor authentication — requiring a second form of verification beyond a password) on all accounts where it is available.

• Consult a consumer protection attorney about joining the class action. Three lawsuits are already filed in the U.S. District Court for the Southern District of Florida. Affected individuals may be entitled to compensation for damages including out-of-pocket expenses from identity theft and the cost of preventative monitoring.

// 06 Background: Understanding the Risk

Passport numbers are uniquely dangerous in data breaches. A stolen credit card number can be cancelled within minutes; a stolen passport number remains valid until the document's expiry date (typically 10 years for U.S. passports). Criminals who obtain passport data can use it to:

• Apply for replacement passports fraudulently, obtaining a physical document in the victim's name
• Create synthetic identities combining real passport numbers with fabricated other information
• Apply for loans, open bank accounts, or establish credit lines under the victim's identity
• Use the data to pass identity verification checks at financial institutions that rely on government ID matching

This is the third major Carnival data breach in recent years. In 2019, the company disclosed a ransomware attack that exposed employee and guest personal data. In 2021, Carnival paid a $5 million fine to the New York State Department of Financial Services over a separate 2019 breach. The pattern of repeated breaches suggests systemic security posture issues that the ongoing class action litigation may compel the company to address structurally.

ShinyHunters' success against organisations like Carnival, Ticketmaster, and Santander underscores a persistent industry-wide failure: despite widespread adoption of endpoint detection tools, organisations continue to fall victim to credential theft and session hijacking techniques that bypass traditional signature-based defences. The group's favoured attack path — compromising a single employee account and using it to access cloud data stores — requires security teams to focus on identity and access management hygiene, privileged access controls, and anomalous cloud API access monitoring rather than solely on perimeter security.

// 07 Conclusion

The Carnival data breach affects nearly 6 million customers with passport numbers and government ID data now in the hands of ShinyHunters and anyone who obtained the subsequently published dataset. Affected customers should act immediately: enroll in Carnival's free credit monitoring, place credit freezes, and report passport numbers to the State Department. The data is already public; the question now is how quickly individuals take protective action before identity fraud materialises.