Carnival Corporation — Holland America Mariner Society phishing breach

ShinyHunters listed Carnival Corporation on its extortion portal on 18 April 2026, claiming theft of 8.7 million records, and set a 21 April deadline. Carnival declined to negotiate. The following week ShinyHunters published the dataset publicly. Have I Been Pwned subsequently recorded 7,531,359 unique email addresses, alongside names, dates of birth, gender, and loyalty-programme status data.

The exposed data relates to the Mariner Society loyalty programme run by Holland America Line, the Carnival-owned cruise brand. Carnival, in a statement issued during the week of the dump, said it had “detected unauthorized online activity involving a single-user account” and acted to block further access. The intrusion vector, in the company’s own framing, was a phishing-compromised user account; the access route to the dataset has not been publicly described in detail.

The Carnival breach is part of the wider ShinyHunters Salesforce-linked campaign that, across April 2026, has also dumped data from Medtronic, Pitney Bowes, Mytheresa, Zara, 7-Eleven, Udemy, Canada Life and around forty other organisations, all downstream of the August 2025 Salesloft/Drift OAuth-token theft. The pattern across the cluster is consistent: phishing-compromised employee account, OAuth-grant or credential pivot into a Salesforce CRM, bulk customer-record export, listing on the extortion portal, dump on refusal.

A deep-dive will follow once Carnival’s regulatory filings clarify the scope, the breach-notification letters reveal the record taxonomy, and any independent technical reporting on the intrusion chain becomes available.