ShinyHunters Claims Carnival and Udemy Breaches in Extortion Campaign
ShinyHunters claimed responsibility for a major breach affecting Carnival Corporation, with data tied to Holland America Line’s Mariner Society loyalty program appearing online after an alleged extortion attempt failed. According to Have I Been Pwned, the leaked dataset contained 8.7 million records and 7.5 million unique email addresses, including names, dates of birth, genders, and loyalty program status details. Carnival acknowledged a security incident and said it had identified a phishing attack involving a single user account, while continuing to assess the scope of unauthorized access; the gang separately alleged it also stole terabytes of internal corporate data, a claim that had not been independently verified.
The same group also posted a "Pay or Leak" notice claiming it had compromised Udemy and stolen more than 1.4 million user records along with internal corporate data, giving the company a deadline before any public release. Udemy had not confirmed the incident at the time of reporting, leaving the claim unverified, but the allegation fits a broader ShinyHunters campaign targeting SaaS and education organizations through social engineering, credential theft, MFA bypass, and abuse of third-party access. The incidents underscore the group’s continued use of extortion-backed data theft to pressure victims and expose customer information.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Udemy data is publicly leaked after ShinyHunters extortion attempt
In April 2026, data allegedly stolen from Udemy was publicly leaked following a ShinyHunters 'pay or leak' extortion attempt. The exposed dataset reportedly contained 1.4 million unique email addresses along with names, addresses, phone numbers, employer details, and instructor payout method information.
ShinyHunters posts alleged Udemy breach with extortion deadline
On its leak site, ShinyHunters claimed it had compromised Udemy and stolen more than 1.4 million records containing personal and internal corporate data. The post gave Udemy until 2026-04-27 to respond before the data would allegedly be leaked publicly, and the claim was unverified at publication.
ShinyHunters publicly releases alleged Carnival data
About one week after its extortion attempt, ShinyHunters publicly released a dataset allegedly tied to Carnival's Holland America Line Mariner Society program. The leak reportedly contained 8.7 million records and 7.5 million unique email addresses, including names, dates of birth, genders, and loyalty status information.
ShinyHunters claims Carnival breach and attempts extortion
In April 2026, ShinyHunters claimed it had stolen Carnival-related data and tried to extort the company to prevent publication. The group also alleged it had obtained customer data and terabytes of internal corporate data, though the full scope was not independently confirmed.
Carnival identifies phishing incident involving one user account
Carnival said it identified a phishing incident affecting a single user account and began assessing the scope of any unauthorized activity tied to Holland America Line's Mariner Society loyalty program.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
9 references tracked. Mallory keeps watching after this page renders.
teiss - News - ShinyHunters claims Udemy breach, threatens leak of 1.4 million records
teiss.co.uk
Open sourceUdemy allegedly breached by ShinyHunters, data leak warned | brief | SC Media
scworld.com
Open sourceShinyHunters claims it stole 1.4 million records from Udemy - Help Net Security
helpnetsecurity.com
Open sourceHave I Been Pwned: Udemy Data Breach
haveibeenpwned.com
Open sourceUdemy Data Breach - ShinyHunters Claims Compromise of 1.4M User Records
cybersecuritynews.com
Open sourceHave I Been Pwned: Carnival Data Breach
haveibeenpwned.com
Open sourceShinyHunters claim they have cruise giant Carnival’s booty • The Register
go.theregister.com
Open sourceUdemy Data Breach - ShinyHunters Claims 1.4M Records - TheCyberThrone
thecyberthrone.in
Open sourceShinyHunters claim they have cruise giant Carnival’s booty
theregister.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
ShinyHunters Claims Udemy Breach and Threatens to Leak 1.4 Million Records
The **ShinyHunters** extortion group claimed it breached online learning platform **Udemy** and stole more than **1.4 million user records**, according to multiple reports. The attackers allegedly said the haul includes personally identifiable information and internal corporate files, raising concerns that affected users could face phishing, identity fraud, and other follow-on abuse if the data is authentic. The group reportedly threatened to publish the stolen information unless Udemy entered negotiations, with reporting indicating a leak deadline of **April 27**. Researchers and media outlets noted that the exact contents of the dataset had not been independently verified because no sample had been publicly released at the time, but the claim placed Udemy among a growing list of organizations publicly named by ShinyHunters in recent extortion activity.
May 25, 2026
ShinyHunters Claims CarGurus and Carnival Customer Data Breaches
Car-shopping platform **CarGurus** disclosed a data breach affecting **12.4 million accounts**, after the **ShinyHunters** extortion group claimed it had stolen customer records and offered a dataset for sale. Reporting indicated the exposed information included account and profile data tied to millions of users, while earlier claims from the group had put the haul at roughly **1.7 million records**, highlighting uncertainty around the exact scope as public reporting evolved. A separate incident hit **Carnival Corporation**, where a dataset flagged by **Have I Been Pwned** contained **8.7 million records** and **7.5 million unique email addresses** allegedly linked to **Holland America Line’s Mariner Society** loyalty program. The data reportedly included names, dates of birth, gender, and membership-status details, raising fraud and phishing concerns. Carnival said it was investigating what it described as a phishing attack involving a single user account, but ShinyHunters claimed responsibility and alleged it also stole terabytes of internal corporate data, suggesting the compromise may extend beyond a limited account breach.
May 25, 2026
ShinyHunters-Linked Extortion and Data Leak Claims Targeting Automotive Retailers
Data allegedly sourced from US automotive retailer **CarMax** was published online after a **failed extortion attempt**, according to a Have I Been Pwned breach entry. The exposed dataset reportedly includes **431,000 unique email addresses** along with **names, phone numbers, and physical addresses**, indicating a PII-heavy leak that could enable targeted phishing and identity-focused fraud. Separately, **CarGurus** was reported as being purportedly breached by the **ShinyHunters** hacking operation, with claims of **1.7 million corporate files** stolen and an extortion deadline tied to negotiations. The intrusion was alleged to have occurred via **single sign-on (SSO) codes obtained through voice phishing**, consistent with ShinyHunters’ prior claims of compromising other organizations using SSO-code access; CarGurus has been positioned as another extortion-driven theft where internal records and PII may be at risk of exposure.
Mar 21, 2026