Carnival Probes ShinyHunters Claim of 8.7 Million Stolen Records

Updated June 6, 2026

Carnival Corporation has begun notifying people whose personal information was compromised in an April cybersecurity incident. A Maine Attorney General filing lists 5,995,277 affected individuals, and the Texas Attorney General lists more than 800,000 Texans.

The company said an unauthorized actor used social engineering to deceive an employee and gain access to a limited portion of its IT system. Carnival's IT security team detected the unauthorized activity on April 14, blocked it, brought in third-party security experts and alerted law enforcement.

"Our investigation found certain personal information was illegally accessed," Carnival said in a statement. "We're notifying affected individuals and deeply regret any concern this causes."

What information may have been exposed

Carnival said its analysis is ongoing and the affected data varies by individual. To date, the impacted data is known to include names, home addresses, email addresses, phone numbers, dates of birth and government-issued identification numbers, including driver's license numbers and passport numbers.

The company is offering affected U.S. individuals two years of complimentary credit monitoring through TransUnion. Carnival has also established a dedicated call center at 1-844-593-8310 for questions about the incident and the credit-monitoring services. Carnival is urging affected individuals to monitor account statements and credit histories for unauthorized activity and to contact local police if they suspect identity theft or fraud.

ShinyHunters claim preceded Carnival's notice

The confirmation follows ShinyHunters listing Carnival on an extortion portal with a "Pay or Leak" deadline of April 21, 2026, threatening to release data publicly if its demands were not met. Carnival has not publicly attributed the attack to ShinyHunters.

When the claim surfaced, Carnival said it had "acted quickly to block unauthorized activity following a phishing incident involving a single user account" and was working with global security experts to determine the scope. Its May 27 notice described the incident as a social engineering attack on a single user account and confirmed that personal information was illegally accessed.

The earlier ShinyHunters claim involved more than 8.7 million records. Carnival has not provided a brand-by-brand breakdown of affected individuals across its cruise portfolio.

ShinyHunters is a financially motivated cybercrime group associated with large data theft, extortion and the sale or posting of stolen records. The U.S. Department of Justice has tied ShinyHunters-related activity to phishing pages and fake login sites. In one case, French national Sébastien Raoult was sentenced to three years in prison and ordered to pay more than $5 million in restitution for conspiracy to commit wire fraud and aggravated identity theft.

Three lawsuits were filed in South Florida

Plaintiffs filed three proposed class actions against Carnival between April 22 and April 24 in the U.S. District Court for the Southern District of Florida. The plaintiffs are Yvonne Vasquez of California, Zachary Pottle of Florida and Ashley Cole of Tennessee. They allege Carnival failed to maintain adequate cybersecurity controls.

The complaints cite alleged gaps including encryption and two-factor authentication, and seek financial compensation, lifetime free credit monitoring for class members and court-ordered changes to Carnival's data-protection practices. Those requests predated Carnival's notice offering two years of TransUnion credit monitoring to affected U.S. individuals.

Cole and Vasquez also allege that ShinyHunters warned Carnival it would leak data if demands were not met by the April 21 deadline.

Prior settlement adds scrutiny to the response

Carnival previously reached a $1.25 million multistate settlement tied to a 2019 breach that was reported in 2020. State attorneys general said that incident involved data such as names, addresses, passport numbers, driver's license numbers, payment card information, health information and some Social Security numbers.

As part of that settlement, Carnival agreed to strengthen email security, multifactor authentication, password policies, phishing training and breach-response practices. The new lawsuits argue the company should have anticipated cyberattack risk given threats facing travel and financial companies.

Carnival has also experienced separate technology problems this year. Widespread online disruptions hit in February, and an April email glitch sent repeated cruise offers to some guests. Those incidents have not been linked to the data breach.