Reading view

Carnival confirms data breach impacting nearly 6 million

Carnival Corporation, parent of Carnival Cruise Line, is sending out fresh “Notice of Cybersecurity Event” letters dated May 27, 2026. If you feel like you’ve read that sentence before, you’re not imagining things. Over the last decade, the world’s largest cruise operator has accumulated a worrying track record of breaches, ransomware incidents, and regulatory penalties, with this 2026 incident adding yet another entry to an already lengthy cybersecurity history.

There are several data breaches involving Carnival Corporation or one of its subsidiaries in our database.

Between 2019 and 2021 alone, Carnival reported four separate cybersecurity events to the New York Department of Financial Services. These included two ransomware attacks and a phishing incident in which attackers deployed malware, accessed and encrypted internal systems, and stole personal customer and employee information.

In this latest case, an attacker used social engineering to trick a Carnival employee into granting access to part of the company’s IT systems on April 14, 2026. By April 22, they used a compromised account to access a “limited portion” of Carnival’s IT systems, where they were able to copy personal data before being blocked.

According to the data breach notice filed in Maine, a total of 5,995,277 people were affected. Carnival determined that the intruder had illegally copied files containing personal information and is now writing to affected individuals to tell them that “data elements” relating to them were obtained.

Researchers cited by Gblock say the stolen data appears to include:

  • Full names
  • Email addresses
  • Dates of birth
  • Genders
  • Mariner Society membership status and tier
  • Internal customer identifiers

The template letter does not list specific data fields. Instead, it uses a placeholder:

“We have determined that your <<data elements>> were obtained.”

This strongly suggests that Carnival is populating each letter with data categories relevant to that particular individual, a common pattern in large breaches where people may have provided different information at different times.

Furthermore, the letters contain the usual content about the speed with which the company acted, involving third‑party experts, and frame the affected systems as a limited subset of the environment. For recipients, the important fact is not how limited the breach was from the company’s point of view, but whether the exposed information could be used for identity theft, fraud, or highly convincing phishing attacks.


Breaches happen every day. Don’t be the last to know.


We do know from past Carnival incidents that exposed data has included names, addresses, dates of birth, passport numbers, health information, and payment details. In previous breaches affecting cruise lines, compromised data has ranged from basic contact details to Social Security numbers and credit card information. Carnival has not publicly disclosed the full categories of data involved in the 2026 incident, but given that this 2026 event again involves “personal information” copied from internal systems, it is reasonable to treat it as a serious privacy incident, even if the exact mix of data varies per person.

The attack was claimed by extortion group ShinyHunters, which is known to steal data and then ask for a ransom. If the victim does not agree to the terms, the data will be published and/or sold to the highest bidder.

ShinyHunters offers Carnival data for download
ShinyHunters offers Carnival data for download

From a cybercriminal’s perspective, cruise industry data is highly prized. Cruise passengers are often relatively wealthy, and passenger records can combine identity data (names, addresses, dates of birth, passport numbers), contact data (emails, phone numbers), and potentially payment data (card numbers and sometimes bank details), making them valuable for identity theft, targeted phishing, and fraud.

What to do if you’re affected

To mitigate the fallout, Carnival is offering a complimentary 24‑month TransUnion credit‑monitoring package, delivered via the MyTrueIdentity platform and supported by Cyberscout for fraud assistance.

Be cautious of emails, texts, or calls claiming to come from Carnival or credit-monitoring providers, as cybercriminals often exploit breaches with phishing scams. Read our advice on what to do when you find out you’re involved in a data breach.


What do cybercriminals know about you?

Use Malwarebytes’ free Digital Footprint scan to see whether your personal information has been exposed online.

  •  

ShinyHunters escalates Canvas attacks with school login defacements

Days after confirming a major data breach, Instructure is now facing a second blow.

Earlier this week, Instructure confirmed a major data breach affecting its cloud‑hosted Canvas environment, with the ShinyHunters group claiming it stole hundreds of millions of records tied to thousands of schools and universities worldwide. As discussed in our earlier blog, that incident involved data such as student and staff records, enrollment details, and private messages allegedly accessed through Canvas export features and APIs. At that stage, the focus was on large‑scale data theft and the long‑term risks for affected students and families, including identity fraud and highly targeted phishing.

According to new reporting, ShinyHunters has now hit Instructure again, this time moving from quiet data theft to very visible extortion. Using another vulnerability in Instructure’s systems, the attackers were able to modify Canvas login portals for hundreds of educational institutions, defacing both web logins and the Canvas app with an on‑screen ransom message.

applying extra pressure
Image credit: vx-underground

The message both claimed responsibility for the earlier breach and set a deadline of May 12 for Instructure and affected schools to contact the gang or risk the public release of stolen data.

This second wave matters for two reasons. First, it confirms that ShinyHunters still has meaningful access to Instructure’s environment, or at least to components that control the look and behavior of school login pages. Second, it marks a clear escalation in pressure tactics, from leaked claims and dark web posts to messages shown directly to students, parents, and staff trying to access their courses.

How to deal with this data breach

For students and families, the practical advice from our original blog still applies:

  • Reset Canvas‑related passwords
  • Enable multi‑factor authentication where possible
  • Monitor financial and credit activity as children get older
  • Stay wary of highly personalized phishing that references real schools, courses, or teachers

For schools and districts, this latest extortion campaign underlines the need to coordinate closely with Instructure, review single sign-on (SSO) integrations, and prepare clear communications so that any future defacements or data leaks do not catch staff and parents by surprise.


CNET Editors' Choice Award 2026

“One of the best cybersecurity suites on the planet.” 

According to CNET. Read their review


  •  

Match, Hinge, OkCupid, and Panera Bread breached by ransomware group

The ShinyHunters ransomware group has claimed the theft of data containing 10 million records belonging to the Match Group and 14 million records from bakery-café chain Panera Bread.

Claims posted by ShinyHunters
Claims posted by ShinyHunters

The Match Group, that runs multiple popular online dating services like Tinder, Match.com, Meetic, OkCupid, and Hinge has confirmed a cyber incident and is investigating the data breach.

Panera Bread also confirmed that an incident occurred and has alerted authorities. “The data involved is contact information,” it said in an emailed statement to Reuters.

ShinyHunters seems to be gaining access through Single-Sign-On (SSO) platforms and using voice-cloning techniques, which has resulted in a growing number of breaches across different companies. However, not all of these breaches have the same impact.

The impact

For the Match Group, ShinyHunters claims:

“Over 10 million records of Hinge, Match, and OkCupid usage data from Appsflyer and hundreds of internal documents.”

Match says there is no evidence that logins, financial data, or private chats were stolen, but Personally Identifiable Information (PII) and tracking data for some users are in scope. A notification process has been set in motion.

For Panera Bread, ShinyHunters claims to have compromised 14 million records containing PII.

Panera Bread reassures users that there is no indication that the hackers accessed user login credentials, financial information, or private communications.

ShinyHunters also breached Bumblr, Carmax, and Edmunds among others, but I wanted to use Panera Bread and the Match Group as two examples that have very different consequences for users.

When your activity on a dating app is compromised, the impact can be deeply personal. Concerns can range from partners, family members, or employers discovering dating profiles to the risk of doxxing. For many people, stigma around certain apps can lead to fears of being outed, accused of infidelity, or even extorted.

The impact of the Panera Bread breach will be very different. “I just ordered a sandwich and now some criminals have my home address?” Data like this is useful to enrich existing data sets. And the more they know, the easier and better they can target you in phishing attempts.

Protecting yourself after a data breach

If you think you have been affected by a data breach, here are steps you can take to protect yourself:

  • Check the company’s advice. Every breach is different, so check with the company to find out what’s happened and follow any specific advice it offers.
  • Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
  • Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop, or phone as your second factor. Some forms of 2FA can be phished just as easily as a password, but 2FA that relies on a FIDO2 device can’t be phished.
  • Watch out for impersonators. The thieves may contact you posing as the breached platform. Check the official website to see if it’s contacting victims and verify the identity of anyone who contacts you using a different communication channel.
  • Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
  • Consider not storing your card details. It’s definitely more convenient to let sites remember your card details, but it increases risk if a retailer suffers a breach.
  • Set up identity monitoring, which alerts you if your personal information is found being traded illegally online and helps you recover after.

You can use Malwarebytes’ free Digital Footprint scan to find out if your private information is exposed online.


We don’t just report on threats—we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your, and your family’s, personal information by using identity protection.

  •  
❌