Carnival

Attackers exfiltrated records from Holland America's Mariner Society loyalty database. The published dataset contains 8.7M rows with 7.5M unique email addresses, and each record includes salutation, full name, date of birth, gender, email address, geographic location and Mariner Society loyalty programme details (such as tier and member status). Carnival has stated no account passwords and no payment information were taken. Carnival's only public statement, given to CyberInsider and The Register, is: "We acted quickly to block unauthorized activity following a phishing incident involving a single user account. We're working with top global security experts to better understand the scope of the activity." That "single user account" framing sits awkwardly next to the 7.5 million emails in the dump, which suggests the compromised account had access to a wider customer database rather than just one inbox. The data is now circulating on public hacking forums after Carnival did not pay the extortion, so it should be treated as freely available to scammers, not as something contained. Carnival has not, at the time of writing, published a customer-facing notice on either carnival.com or hollandamerica.com.

ShinyHunters listed Carnival on its extortion portal on 18 April 2026 and gave the company until 21 April to engage. After the deadline passed, the group published the 8.7M-record dataset, and Have I Been Pwned added it on 24 April 2026. Carnival has not published the date the intrusion began or the date it was detected, and has not described the attack chain beyond "a phishing incident involving a single user account". No threat actor other than ShinyHunters has been named. Carnival has not issued a customer letter or press release; its only published guidance has been telling reporters that affected guests should monitor their accounts and be alert to phishing attempts.

The stolen fields — your salutation, name, date of birth, email, country and Mariner Society tier — are tailor-made for cruise-themed scams, and Holland America's older, higher-spend membership is exactly the audience these scams are written for. Expect over the coming months: "happy birthday from Holland America" emails offering a free onboard credit if you click a link to claim it; "your 4-Star Mariner status expires soon — confirm your details to keep your perks" emails or letters quoting your actual tier; "there is an issue with your upcoming Holland America cruise" SMS or phone calls that drop your name, birthday and tier in to sound legitimate; and fake refund or shore-excursion-credit offers asking for a card number. The rule of thumb: any Holland America or Carnival message that arrives unprompted and leans on details only the cruise line would know — your tier, your salutation, your birthday — is using this stolen data. Don't click links in it, don't call back the number it gives, don't read out card details to anyone who called you.

If you'd rather Carnival stop holding your data at all, email Privacy@hollandamerica.com for the Mariner Society / Holland America record specifically, or privacy@carnival.com for any other Carnival Corporation brand you've sailed with. UK and EEA guests can use Privacy@CarnivalUKGroup.com. Ask them to close your account and delete your personal data — you don't have to give a reason, plain email is fine even though Carnival points people to its own DSAR portal, and they have 30 days to confirm it's done.

Carnival says no passwords were taken, so your Mariner Society or Holland America login itself doesn't need changing. But if you reuse that password on other sites, change it there — your email address is now public and is the bridge an attacker would use to try the same password elsewhere.