Based on reports, the incident allegedly occurred when ShinyHunters breached the cruise operator’s supply chain, when a phishing attack led to a breach of a third-party account.
Through this, the threat actor allegedly compromised almost millions of records of Carnival customers who had journeyed using Carnival’s Holland America brand.
As many as 6 million people are believed to have been impacted by the incident, with data including names, birth dates, gender, loyalty program details, contact information and government ID details from licenses and passports, according to HaveIBeenPwned and Carnival’s own statement.
“The company acted swiftly to block the unauthorised activity and immediately began working with third-party security experts to further strengthen its security and to conduct a thorough investigation. As part of this investigation, the company determined the bad actor illegally accessed certain personal information,” the statement said, adding that notifications were sent to those it determined were impacted.
“In addition to the comprehensive security measures the company had in place prior to the incident, it has taken steps to further safeguard its systems, including enhancing its security and monitoring controls. The company will continue to advance its IT security and data privacy controls to stay ahead of an ever-evolving threat landscape.”
Carnival did not confirm how many were impacted, nor did it name ShinyHunters as the group behind the incident.
Speaking with Cyber Daily, Ismael Valenzuela, vice president of threat intelligence research at Arctic Wolf, said the Carnival incident shows how ShinyHunters’ tactics continue to advance and remain effective.
“ShinyHunters has been wreaking havoc across major brands, and the Carnival breach shows just how effective their tactics have become. By compromising a single employee account, the group gained access to internal systems and extracted large volumes of customer data, ultimately impacting millions. It’s a clear reminder that one identity breach can quickly spiral into a large‑scale incident,” he said.
“ShinyHunters’ playbook hasn’t changed because it continues to work. They gain a foothold through identity-based attacks, move quickly to exfiltrate data at scale, and then use it for leverage under a pay‑or‑leak model. The information exposed includes a mix of personal and account-related data, creating lasting downstream risk. Anyone potentially impacted should assume elevated exposure, reset passwords, tokens, and API keys that could have been exposed, enable phishing‑resistant multifactor authentication, and closely monitor for suspicious or unauthorised account activity. Data like this is often reused over time in targeted phishing, identity fraud, and broader social engineering campaigns.”
Want to see more stories from trusted news sources?Make Cyber Daily a preferred news source on Google.
