Data Breach

Carnival Data Breach April 2026 - What Was Exposed and What To Do

7,531,359 records exposed

The Carnival data breach exposed 7,531,359 records including Dates of birth, Email addresses, Genders, Geographic locations, Loyalty program details, Names, Salutations. This breach has been verified by HaveIBeenPwned. Affected users should check HaveIBeenPwned.com and take immediate steps to protect their accounts.

What Happened

In April 2026, the notorious hacking collective ShinyHunters claimed they had obtained a substantial volume of data belonging to the Carnival cruise operator and attempted to extort the organisation to prevent the data from being leaked. The following week, the group published the data publicly, which contained 8.7M records with 7.5M unique email addresses. The data contained fields indicating it related to the Mariner Society loyalty program run by Holland America, a cruise line brand under Carnival, and included names, dates of birth, genders and data relating to status within the loyalty program. Carnival acknowledged a phishing incident involving a single user account and advised they were working to better understand the scope of the unauthorised activity.

Breach date
2026-04-18
Records affected
7,531,359
Verified
Yes
Domain
carnivalcorp.com

What Was Exposed

The following data types were included in the breach:

  • Dates of birth
  • Email addresses
  • Genders
  • Geographic locations
  • Loyalty program details
  • Names
  • Salutations

What You Should Do

If you had an account with Carnival, take these steps immediately:

  1. Check if your account was affected at HaveIBeenPwned.com
  2. Watch for phishing emails that reference the breach or impersonate the affected company
  3. Be alert for social engineering attempts using your exposed personal information
  4. Enable two-factor authentication on the affected service if available
  5. Consider using a password manager to generate unique passwords for each service

FAQ

Was my data in the Carnival breach?
Check HaveIBeenPwned.com to see if your email address was included in the Carnival breach. The breach exposed 7,531,359 records containing Dates of birth, Email addresses, Genders, Geographic locations, Loyalty program details, Names, Salutations.
What should I do if my data was exposed in the Carnival breach?
Change your password on the affected service immediately. Enable two-factor authentication. If financial data or government IDs were exposed, place a fraud alert with credit bureaus and monitor your accounts for unauthorized activity.
When did the Carnival data breach happen?
The Carnival breach occurred on 2026-04-18. It was added to the HaveIBeenPwned database on 2026-04-24. The breach affected 7,531,359 accounts.

Need Incident Response?

Sherlock Forensics investigates data breaches for organizations. We determine scope of exposure, identify attack vectors, preserve evidence for legal proceedings and help you meet notification requirements.

Get Incident Response Help