MUST READ

Carnival Data Breach Exposes Personal Data of Nearly 6 Million Customers

 | 

CVE-2026-35616: FortiClient EMS Flaw Actively Exploited in Malware Attacks

 | 

Resecurity Supports Microsoft DCU in Disrupting Fox Tempest ’s Cybercriminal Code-Signing Ecosystem

 | 

U.S. CISA adds Daemon Tools, TanStack, and Nx Console flaws to its Known Exploited Vulnerabilities catalog

 | 

A Fake UK Visa Site Left 100,000 Passports Wide Open

 | 

U.S. CISA adds LiteSpeed cPanel Plugin flaw to its Known Exploited Vulnerabilities catalog

 | 

19.6 Billion Files Are Sitting Open on the Internet. No Password Required

 | 

Romanian Hacker Gets Nearly 5 Years in US Prison Over Network Intrusion

 | 

The LA Metro Attack Wasn't Hacktivism. It Was a State Operation With a Costume On.

 | 

How cybersecurity firms took down Glassworm botnet in one shot

 | 

Dutch Government just said no to an American firm buying the keys to their digital State

 | 

Microsoft SharePoint Has a New RCE Flaw. If You Haven't Patched Yet, Go Do That.

 | 

The Hidden Ransomware Economy Running on Exposed Databases

 | 

Malware Found in Laravel-Lang Composer Packages After Git Tag Poisoning Attack

 | 

Nimbus Manticore Expanded Attacks With AI-Assisted Malware and Fake Zoom Installers

 | 

Lazarus APT unveils fileless remote access Trojan designed to evade detection

 | 

Third-Party Cyberattack Impacts Patient Information at The Oncology Institute

 | 

Ghost CMS flaw abused to push ClickFix attacks on hundreds of sites

 | 

340 Million OnlyFans Profiles Allegedly Rebuilt from Leaks

 | 

Zero-Click WhatsApp Account Takeover Hits iPhone Users Running iOS 16. No Linked Devices, No Warning

 | 

Carnival Data Breach Exposes Personal Data of Nearly 6 Million Customers

Pierluigi Paganini May 28, 2026

Carnival disclosed a data breach affecting nearly 6 million people after hackers used social engineering to access employee accounts.

Carnival Corporation is notifying nearly 6 million people after a data breach exposed personal information. According to the notification shared with the Maine Attorney General’s Office, the total number of persons affected is 5,995,277.

The company said attackers used social engineering to compromise an employee account on April 14, then accessed internal systems and stole files containing customer data.

The incident raises concerns about identity theft risks for affected individuals as investigations and notifications continue.

“On April 14, 2026, the company’s IT security team identified unauthorized activity involving an employee’s account. An unauthorized actor used social engineering to deceive an employee to gain access to a limited portion of the company’s IT system.” reads the notice of data breach. “The company acted swiftly to block the unauthorized activity and immediately began working with third party security experts to further strengthen its security and to conduct a thorough investigation. “As part of this investigation the company determined the bad actor illegally accessed certain personal information.”

The company quickly blocked the intrusion and launched an investigation with the help of external security experts. Investigators later confirmed the attackers accessed personal data that may include names, addresses, emails, phone numbers, dates of birth, and government-issued IDs such as passport and driver’s license numbers.

Carnival started notifying affected individuals on May 27, 2026, and is offering eligible US customers two years of free credit monitoring through TransUnion. The company said it improved its security and monitoring systems after the security incident and continues to improve data protection measures. The company urged customers to monitor bank accounts and credit reports for suspicious activity and contact police if they suspect identity theft or fraud.

In April, the popular cybercrime group ShinyHunters claimed the attack and the theft of 8.7 million records.

This isn’t the first data breach disclosed by the cruise line operator, other incident occurred in March 2021, August 2020, and May 2019.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, data breach)

you might also like

Pierluigi Paganini May 24, 2026
U.S. CISA adds a flaw in Drupal Core to its Known Exploited Vulnerabilities catalog
Read more
Pierluigi Paganini May 20, 2026
DirtyDecrypt: PoC Released for yet another Linux flaw
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

recent articles

Carnival Data Breach Exposes Personal Data of Nearly 6 Million Customers

Uncategorized / May 28, 2026

CVE-2026-35616: FortiClient EMS Flaw Actively Exploited in Malware Attacks

Malware / May 28, 2026

Resecurity Supports Microsoft DCU in Disrupting Fox Tempest ’s Cybercriminal Code-Signing Ecosystem

Security / May 28, 2026

U.S. CISA adds Daemon Tools, TanStack, and Nx Console flaws to its Known Exploited Vulnerabilities catalog

Security / May 28, 2026

A Fake UK Visa Site Left 100,000 Passports Wide Open

Security / May 28, 2026