ShinyHunters Stole 7.5 Million Cruise Customers' Email Addresses—Carnival Says It Was Just One Compromised Inbox

What Was Actually Stolen

Security researchers who reviewed the dataset say the field structure matches Holland America's loyalty program. The exposed records include:

• Full names
• Email addresses
• Dates of birth
• Genders
• Mariner Society membership status and tier
• Internal customer identifiers

Have I Been Pwned has already ingested 7,531,359 unique addresses from the leak, classifying it as a verified breach. Holland America's Mariner Society is the loyalty program that tracks repeat cruisers—the people most likely to recognize the brand in their inbox and the least likely to question a message that references their tier or upcoming voyage.

"They Don't Care"

When the deadline passed, ShinyHunters posted a public note on its leak site: "The company failed to reach an agreement with us despite our incredible patience. They don't care." The group is using public shaming as part of its negotiation strategy, betting that reputational damage will force payment from victims who refuse to negotiate quietly.

Carnival's response—characterizing a 7.5 million email leak as a "single user account" incident—is technically accurate and strategically risky. Customers reading press coverage do not parse the difference between "one inbox compromised" and "one inbox is enough to extract every Mariner Society member."

Why One Phishing Email Is Enough

The pattern of "one compromised account, millions of records" has become ShinyHunters' signature. The group does not need to crack a firewall, exploit a zero day, or escalate privileges through a complex chain. It needs one employee with access to a CRM, a marketing platform, or a customer support tool. Once inside, the cloud platform itself does the exfiltration work.

ShinyHunters has used this playbook repeatedly in April 2026. The group breached Canada Life through a single Salesforce account, stealing 5.6 million records. It hit ADT through one voice phishing call, taking 10 million records. And it threatened to release 45 million records from McGraw-Hill through the same Salesforce vector. Carnival is the latest entry in a list that grows weekly.

Carnival's Repeat Offender Status

Carnival has been here before. The cruise giant disclosed a major breach in August 2020 after suspicious activity dating to May 2019, ultimately settling state attorney general investigations for $1.25 million and reaching a $5 million settlement with the New York Department of Financial Services. Additional breaches followed in 2021. Each one started with phishing or credential abuse, and each one ended with customer data leaking out of cloud platforms that had been entered with stolen logins.

For a company that operates Carnival Cruise Line, Princess, Holland America, Cunard, and Costa, with hundreds of millions of guest interactions over its data lifecycle, "single user account" incidents have become a pattern rather than an anomaly.

Why Email Lists Are the Real Prize

A clean list of 7.5 million email addresses tied to a specific brand and demographic—older travelers with disposable income who recognize Holland America—is worth more to scammers than credit card numbers. Card numbers go stale within weeks of a breach. An email address linked to a known loyalty program is a high value target for years.

Within hours of the leak going public, criminal forums began advertising the dataset for spam, phishing, and impersonation campaigns. Mariner Society members should expect emails that reference their actual tier, mention real itineraries, and link to fake "loyalty rewards" portals. The personalization is what makes them effective.

What Mariner Society Members Should Do

• Treat every Holland America email as suspicious. Attackers now have the data to send convincing impersonations. Verify any "account update" or "loyalty offer" by logging in directly to hollandamerica.com instead of clicking links.
• Check Have I Been Pwned. Search your email at haveibeenpwned.com to confirm whether your address is in the Carnival dataset.
• Rotate any password reused across loyalty accounts. If you used the same password on Holland America and a financial site, change both immediately.
• Block tracking pixels in incoming mail. Scammers who buy this list will pepper you with phishing emails containing tracking beacons that confirm the address is active. Removing those beacons makes you a less valuable target. Gblock blocks tracking pixels in Gmail automatically.
• Watch for voice calls. ShinyHunters frequently follows email leaks with vishing campaigns, using stolen names and birthdates to pass identity verification. Hang up and call back through the official number on hollandamerica.com.

The Pattern Continues

The Carnival breach is not an outlier. It is the third major ShinyHunters incident in two weeks, and the group has signaled it has more victims queued for its leak portal. The economics are obvious: phishing one employee costs nothing, the data is worth millions, and the public shaming of non paying victims advertises the service to future targets.

For the 7.5 million people whose email addresses just hit the open market, the breach is no longer Carnival's problem. It is theirs. The phishing emails that arrive over the next several months will be the real fallout—and they will keep arriving long after the news cycle has moved on.

The Carnival list is one input among many. A separate hacker just published 6.8 billion email addresses on BreachForums—roughly 3 billion of them verified valid—giving phishing operators a commodity-priced target list to combine with stolen breach data like Carnival's.