Carnival Confirms ~6 Million Affected After April Social-Engineering Breach Claimed by ShinyHunters
Carnival Corporation confirmed a data breach affecting approximately six million individuals, stemming from a social-engineering attack on an employee in April 2026.
VERDICT — CONFIRMED

Carnival Corporation confirmed a data breach affecting approximately six million individuals, stemming from a social-engineering attack on an employee in April 2026. The company says an unauthorized actor used social engineering to deceive an employee and gain access to a limited portion of its IT systems on or around April 10, 2026; Carnival's security team identified the unauthorized activity on April 14, 2026, and determined on April 22, 2026 that personal information had been illegally copied. The figure comes from a Carnival filing with Maine's attorney general and is a reduction from the roughly 8.7 million records initially listed on Have I Been Pwned.
Stolen data included names, addresses, email addresses, phone numbers, dates of birth and state identification numbers. The extortion group ShinyHunters claimed responsibility, stating, 'The company failed to reach an agreement with us despite our incredible patience,' indicating Carnival declined to pay. Carnival began notifying affected individuals and offered two years of complimentary credit monitoring through TransUnion, and said it is strengthening security controls and monitoring.
The Carnival incident is part of a wave of ShinyHunters extortion breaches disclosed in the window that also hit telecom, retail and education targets; the group has reportedly compromised between 300 and 400 organizations over six years. Reporting noted Carnival declined to comment on the precise scale or to name ShinyHunters directly, and that the discrepancy between the actor's records claim and the company's notification figure mirrors a recurring pattern in ShinyHunters cases, where exfiltrated record counts exceed the number of distinct notified individuals.


