"The company failed to reach an agreement with us despite our incredible patience," a post on the ShinyHunters leak site declared, adding bluntly, "They don't care." The claim, seen by The Register, sits at the center of competing accounts about a large trove of cruise-line data and what it means for customers and the company that runs Holland America Line.
ShinyHunters claim terabytes of internal data after talks broke down
ShinyHunters — described in reporting as an extortion-focused breach group — published material that it says came from Carnival Corporation and its subsidiaries. The group claimed it had lifted not only customer records but "terabytes of internal corporate data" and framed the publication as the result of failed negotiations with the company. The Register reported the post and noted the group's history of advertising large caches of data.
Have I Been Pwned flags 7.5 million unique emails, 8.7 million records linked to Mariner Society
Have I Been Pwned (HIBP) flagged an apparent haul tied to Carnival’s operations: 7.5 million unique email addresses within a total of 8.7 million records. HIBP said the data "contained fields indicating it related to the Mariner Society loyalty program run by Holland America Line," a Carnival Corporation subsidiary. The volume and the match to a named loyalty program prompted HIBP to publicize the finding.
Carnival's account: a phishing attack against a single user account, scope still under review
According to HIBP's reporting, Carnival Corporation acknowledged a security incident but offered a narrower account than the leak site. The company told HIBP the incident "involved a phishing attack against a single user account" and that it was "still working to understand the scope of any unauthorized access." The Register asked Carnival to confirm whether the figures posted by HIBP matched its own findings, what data was accessed, whether a ransom demand had been made, and how attackers gained access; The Register reported Carnival had not responded at the time of writing.
Exposed fields and the potential for fraud or phishing
HIBP said the exposed data included names, dates of birth, genders, and membership status details — elements that can be repurposed for targeted fraud or phishing. The Register noted that ShinyHunters often gains initial access through phishing, stolen logins, or by compromising SaaS platforms, and said that if the extortion group's claims are accurate the incident "went well beyond a single compromised inbox." The distinction matters: a single-user credential compromise differs sharply from an extraction of "terabytes" of internal data and millions of membership records.
What this means for passengers, security teams, and Carnival's incident responders
- Passengers: The Register advised that passengers "may want to keep a closer eye on their inboxes than their next itinerary," reflecting the risk that exposed personal fields could fuel phishing and impersonation attempts tied to travel plans or loyalty accounts.
- Security teams and technologists: The juxtaposition of HIBP's flagged dataset and ShinyHunters' public dump will push technical teams to reconcile the difference between a reported single-account phishing incident and claims of widespread data exfiltration; investigators will focus on logs, access records, and any evidence of mass export or lateral movement.
- Carnival's incident responders and corporate leadership: With a public leak-site claim and questions submitted by The Register unanswered at the time of reporting, the company's next steps — confirming the scope, notifying affected members, and determining whether a ransom demand was made — will be central to how regulators, customers, and partners judge the response.
Two narratives are in tension: HIBP's identification of millions of records tied to a specific loyalty program, and Carnival's narrower description of a phishing attack on one account. ShinyHunters' public posting escalates the optics by claiming far more extensive access. The Register's outreach to Carnival seeking confirmation and more detail remained unanswered at the time of the story, leaving open whether investigators will ultimately conclude this was a contained phishing incident or a much larger data spill affecting millions tied to the Mariner Society program.
Original reporting: https://go.theregister.com/feed/www.theregister.com/2026/04/24/shinyhunters_claim_cruise_giant_carnivals/
