Carnival confirms breach of 5,995,277 people after ShinyHunters social-engineers employee account
Carnival Corporation disclosed a data breach affecting 5,995,277 people, per a notification filed in Maine, with breach-notice letters sent on or about May 27, 2026.
At a glance
- 5,995,277 people affected, per notification filed in Maine; breach letters sent on or about May 27, 2026
- Social engineering of employee on April 14, 2026; intruder used compromised account by April 22, 2026 to copy data before being blocked
- Exposed data: full names, emails, dates of birth, gender, Mariner Society membership status/tier, internal customer identifiers; other reporting adds addresses, phone numbers, government-issued ID numbers
- ShinyHunters extortion group tied to the intrusion; group simultaneously linked to the Charter Communications breach
- 24 months complimentary credit monitoring via TransUnion MyTrueIdentity; fraud assistance from Cyberscout
VERDICT — CONFIRMED
Carnival Corporation disclosed a data breach affecting 5,995,277 people, per a notification filed in Maine, with breach-notice letters sent on or about May 27, 2026. According to Carnival, an attacker used social engineering on April 14, 2026 to trick an employee into granting access to part of the company's IT environment; by April 22, 2026 the intruder used the compromised account to reach a limited portion of Carnival's systems and copy personal data before being blocked. Exposed data varied by individual but generally included full names, email addresses, dates of birth, gender, Mariner Society membership status and tier, and internal customer identifiers; other reporting cites addresses, phone numbers and government-issued ID numbers for some records.
The extortion group ShinyHunters, known for steal-then-extort tactics with a publish-or-sell threat, was tied to the intrusion. Carnival is offering affected individuals 24 months of complimentary credit monitoring via TransUnion's MyTrueIdentity, with fraud assistance from Cyberscout, and says it has implemented additional security measures. The incident is the largest single consumer-data breach disclosed at the start of the window and fits a 2026 pattern of ShinyHunters-led vishing/social-engineering campaigns against large enterprises (the group is simultaneously linked to the Charter Communications breach).
For 6 million cruise customers, the exposure of DOB plus loyalty-tier and identity data creates durable phishing and identity-theft risk well beyond the credit-monitoring window.
Key facts on file
- 5,995,277 people affected, per notification filed in Maine; breach letters sent on or about May 27, 2026
- Social engineering of employee on April 14, 2026; intruder used compromised account by April 22, 2026 to copy data before being blocked
- Exposed data: full names, emails, dates of birth, gender, Mariner Society membership status/tier, internal customer identifiers; other reporting adds addresses, phone numbers, government-issued ID numbers
- ShinyHunters extortion group tied to the intrusion; group simultaneously linked to the Charter Communications breach
- 24 months complimentary credit monitoring via TransUnion MyTrueIdentity; fraud assistance from Cyberscout
- Described as the largest single consumer-data breach disclosed at the start of the window


