Carnival Corporation — the world’s largest cruise line operator — has confirmed a data breach that exposed the personal information of nearly 6 million customers. The company detected unauthorized access on April 14, 2026, and later confirmed that a hacker had stolen data four days earlier, on April 10. The cybercrime group ShinyHunters has claimed responsibility for the attack.
The stolen data includes names, dates of birth, email addresses, genders, geographic locations, and Mariner Society loyalty program details. Carnival says the attacker used social engineering to trick an employee into granting access to a portion of the company’s IT systems. This is Carnival’s fourth major data breach since 2020 — a pattern that suggests the company has struggled to harden its defenses. Affected customers should expect to receive a notification letter from Carnival. If you receive contact from anyone claiming to be from Carnival and asking for payment to protect your data, do not pay — the FBI has warned that paying extortion demands does not stop hackers from selling your data anyway.
How to check if you’re affected
Affected products include Carnival Corporation’s cruise brands — including Carnival Cruise Line, Princess Cruises, Holland America, and Seabourn — if you booked a cruise or joined the Mariner Society loyalty program. If you have ever created an account or booked a trip through any Carnival brand, assume your details may have been included. Monitor your email for official breach notifications from Carnival, and watch for phishing emails impersonating the company using your real name or booking details.