- Carnival says a social engineering attack exposed personal information tied to nearly 6 million people.
- Some affected data may include names, contact details, dates of birth and government-issued ID numbers.
- Have I Been Pwned says leaked data also appeared tied to Holland America’s Mariner Society loyalty program.
- Travelers should watch for fake cruise emails, texts, calls and identity verification scams.
Carnival Corporation has confirmed a data breach affecting nearly 6 million people, and the fallout could reach travelers who may not think of themselves as Carnival customers.
The company says the incident involved a social engineering attack on a single user account. In other words, someone fooled an employee and gained access to part of Carnival’s IT system.
For cruise customers, the real concern starts after the breach. Stolen personal details can help scammers write messages that feel far more believable. Here is what may have been exposed, what Have I Been Pwned found in the leaked data and what you can do now to protect yourself.
What information was exposed in the Carnival breach?
Carnival Corporation says the breach began with a social engineering attack on a single user account. An unauthorized actor gained access to a limited part of the company’s IT system. Carnival says it immediately blocked the activity, brought in third-party security experts and alerted law enforcement.
A Carnival Corporation spokesperson told CyberGuy,
“In April, we identified unauthorized access to a limited part of our IT system caused by a social engineering attack on a single user account. We immediately blocked the activity, engaged third-party security experts and alerted law enforcement. Our investigation found certain personal information was illegally accessed. We’re notifying affected individuals and deeply regret any concern this causes. Protecting the privacy and security of personal data is a priority for us and we’ve added new layers of security and monitoring on top of the comprehensive protections already in place. We’ll also continue advancing our defenses against evolving threats.”
State breach reporting shows 5,995,277 people were affected. Carnival says the impacted data varies by individual. However, the company says the information known to be involved includes names, addresses, email addresses, phone numbers, dates of birth and government-issued identification numbers, such as driver’s license numbers and passport numbers.
What Have I Been Pwned found in the leaked Carnival data
Have I Been Pwned also analyzed the data published by ShinyHunters and said it contained 8.7 million records with 7.5 million unique email addresses. That data appeared tied to Holland America’s Mariner Society loyalty program and included names, dates of birth, email addresses, genders, geographic locations, salutations and loyalty program details.
That means this breach could affect you even if you think of yourself as a Holland America customer, not a Carnival customer. Even without a credit card number, this type of data can create problems. Criminals can use it to build fake emails, texts and calls that sound like they came from a real cruise brand. For example, a scammer could mention loyalty points, an upcoming trip, a refund or a cabin upgrade. That one familiar detail may be enough to get you to click.
What ShinyHunters claimed about Carnival
Carnival has not publicly confirmed that ShinyHunters carried out the attack. However, the extortion gang claimed responsibility in April 2026 and said it stole millions of records and internal corporate data.
ShinyHunters has also been tied to broader data theft and extortion activity involving Salesforce customers. The group often pressures companies by threatening to leak or sell stolen information.
The FBI has warned victims not to pay ransom demands from the group. Paying does not guarantee stolen data will be deleted. It also does not stop criminals from trying to extort victims again.
For you, the concern is what happens next. Once your data leaks, scammers may try to use it in emails, texts or calls that sound more believable than the usual junk.
Watch the latest episode of The CyberGuy Report.
Missed this event? Sign up via the registration form and see our live recording.
See Kurt’s Prime Day picks for useful gadgets, practical upgrades and everyday tech while the deals last.
Why the Carnival breach could put you at risk
Travel scams work because they catch you when you are excited, rushed or distracted. Maybe you booked a cruise years ago. Maybe you joined a loyalty program and forgot about it. Maybe you sailed with Holland America, Princess Cruises or another Carnival-owned brand. That old account can still have value to criminals.
Carnival has also dealt with several cybersecurity incidents before. The company disclosed breaches in March 2020 and June 2021 after attackers accessed employee email accounts. Ransomware incidents in August 2020 and December 2020 also exposed personal information tied to Carnival customers and employees.
That history does not mean every Carnival customer will face fraud. But it does show why old travel accounts deserve attention. A loyalty account can reveal more than points. It can connect your name, email, birthday, travel history and brand preferences.
That gives scammers more ways to sound convincing. A fake email may claim your loyalty points are expiring. A text may say you qualify for a refund. A caller may say your account needs verification. Those tricks can lead to stolen passwords, malware, fake payment pages or identity theft attempts.
Ways to stay safe after the Carnival breach
If you receive a Carnival breach notice, read it closely so you know what information may have been involved. Some impacted data may include government-issued identification numbers, so take these steps to lock down your accounts, spot fake cruise messages and reduce the chances that scammers can use your personal details against you.
1) Review Carnival’s offer for credit monitoring
Carnival says it is offering eligible U.S. individuals two years of complimentary credit monitoring. If you receive a notice, use the contact details in that notice or Carnival’s official breach webpage. Do not trust random links in emails, texts or search ads claiming to help you enroll.
2) Change your cruise account passwords
Go directly to the official website or app. Do not click a link from an email or text. Use a strong, unique password for every travel account. A password manager can help you create and store better passwords.
3) Turn on two-factor authentication
Two-factor authentication (2FA) adds another layer of protection. Even if someone steals your password, they still need a second approval. Use an authentication app when possible. Text codes help, but they can be weaker if a scammer tries a SIM swap attack.
4) Watch for fake cruise emails and texts
Be suspicious of messages about refunds, loyalty points, upgrades, cancellations or account verification. Scammers love urgent wording. They want you to click before you think. Instead, go straight to the company’s website or app. Check your account there.
5) Use a data removal service
A data removal service such as Incogni will not undo the Carnival breach. However, it can help remove your personal information from data broker and people-search sites. That can make it harder for scammers to combine leaked breach data with your home address, phone number, relatives’ names or other details found online.
Exclusive Deal for CyberGuy Readers (60% off): Incogni offers a 30-day, money-back guarantee and applies a special CyberGuy discount to all annual plans, for as low as $6.39/month for one person (billed annually) or $13.19/month for your family (up to 5 people) on their annual plan.
I strongly recommend the family plan. Here's why: the scam that starts with a Google search of your name almost always ends with a call to you, your elderly parent or a text to your adult child. Protecting yourself without protecting the people around you is half a solution. At $2.64 per person per month, the family plan covers up to five people, and the people most likely to be the final target are often the ones who'd never think to protect themselves.
Get Incogni and remove your info
6) Use strong antivirus protection
Breaches often lead to phishing emails with dangerous links or attachments. Strong antivirus protection, such as Norton Antivirus Plus (CyberGuy Deal: Get 58% off), can help block malicious websites, scam pages and malware before they do damage. Also, keep your phone, tablet and computer updated. Security updates close holes that criminals try to exploit.
7) Do not share personal details with callers
If someone calls and claims to represent a cruise line, do not give out your date of birth, payment details or login codes. Hang up and call the company using a number from its official website.
8) Monitor your bank and credit card accounts
Check your statements for charges you do not recognize. Small test charges can show up before larger fraud attempts. Report suspicious activity right away. Many banks also let you lock a card from the app while you investigate.
9) Consider a credit freeze
A credit freeze can block criminals from opening new credit accounts in your name. You can freeze your credit for free with Equifax, Experian and TransUnion. You can also lift the freeze when you need to apply for credit.
10) Review your credit reports
Check your credit reports for accounts, addresses or inquiries you do not recognize. You can get free weekly credit reports from the three major credit bureaus at AnnualCreditReport.com.
11) Watch for misuse of your ID documents
Because Carnival says some impacted data may include driver’s license or passport numbers, be extra cautious with messages asking you to “verify” your identity. Do not upload a photo of your ID through a link in an email or text. Go directly to the official company, bank or government website instead.
12) Consider identity theft protection
Identity theft protection like Aura can help monitor your personal information, credit files and financial activity for warning signs of fraud. Some plans also include breach or dark web monitoring, which can alert you if your email address or other personal details appear in known leaks.
Exclusive CyberGuy deal: Save up to 68% today: Get Aura’s award-winning identity theft protection and credit monitoring for as low as $9/month when billed annually.
13) Save the breach notice
Keep a copy of any notice you receive from Carnival. It may explain what information was involved and what support the company offers. Be careful with fake settlement or claim websites. Scammers often create lookalike pages after major breaches.
Related Links:
- How to protect your online privacy and security on your next cruise vacation
- Best credit cards for cruises with rewards and perks
- How to keep your phone safe abroad
Kurt’s key takeaways
The Carnival data breach shows why travel accounts need the same care as banking, shopping and email accounts. A cruise may last a week, but the data you shared can stick around for years. Take a few minutes now to tighten your accounts. Change reused passwords, watch for cruise-themed scams and consider freezing your credit if you want stronger protection.
Have travel companies earned enough trust to keep collecting so much personal data, or should loyalty programs start asking for far less? Let us know in the comments below.
FOR MORE OF MY TECH TIPS & SECURITY ALERTS, SUBSCRIBE TO MY FREE CYBERGUY REPORT NEWSLETTER HERE
Copyright 2026 CyberGuy.com. All rights reserved. CyberGuy.com articles and content may contain affiliate links that earn a commission when purchases are made.
🎙 Now Streaming: My New Podcast: The CyberGuy Report
Kurt’s Top Deals
Deals move fast and inventory can be limited, so don’t wait too long.
| 🔥 Editor’s pick  Summer entertaining Ninja SLUSHi Machine (26% off) Frozen drinks and slushies at home in minutes. | |
| 💰 Top deal  Outdoor essential TYPEC Solar Bug Zapper (36% off) Solar-powered bug zappers for patios and camping. |
