ShinyHunters posted Carnival Corporation to its “pay or leak” extortion portal on April 18, 2026, four days after Carnival’s IT security team flagged unauthorized access on a compromised employee account. Carnival confirmed the breach on May 27: its official data breach notice and Maine state notification filing put the affected count at 5,995,277 people.
The attack was a phishing incident targeting one employee. An unauthorized actor socially engineered that employee to gain access to a limited portion of Carnival’s IT systems. Data taken from the Mariner Society loyalty program, operated by Holland America Line (a Carnival subsidiary), included names, dates of birth, genders, email addresses, and loyalty program status. ShinyHunters claimed 8.7 million records with 7.5 million unique email addresses; Carnival’s own Maine filing confirms 5.99 million. The gap hasn’t been explained publicly.
Carnival’s disclosure that one phished employee account exposed nearly 6 million Mariner Society records is a data access problem as much as a phishing problem. If a single set of employee credentials can reach loyalty data for six million people, the access controls needed fixing before any phishing email arrived. It’s not Carnival’s first breach, which makes the post-incident pledge to enhance monitoring and security controls harder to credit as a complete fix.
Carnival began notifying the 5.99 million affected individuals on May 27, 2026 — eligible U.S. residents can enroll for two years of complimentary credit monitoring through TransUnion.
James Okafor