ShinyHunters Claims Carnival and Udemy Breaches in Extortion Campaign
ShinyHunters claimed responsibility for a major breach affecting Carnival Corporation, with data tied to Holland America Line’s Mariner Society loyalty program appearing online after an alleged extortion attempt failed. According to Have I Been Pwned, the leaked dataset contained 8.7 million records and 7.5 million unique email addresses, including names, dates of birth, genders, and loyalty program status details. Carnival acknowledged a security incident and said it had identified a phishing attack involving a single user account, while continuing to assess the scope of unauthorized access; the gang separately alleged it also stole terabytes of internal corporate data, a claim that had not been independently verified.
The same group also posted a "Pay or Leak" notice claiming it had compromised Udemy and stolen more than 1.4 million user records along with internal corporate data, giving the company a deadline before any public release. Udemy had not confirmed the incident at the time of reporting, leaving the claim unverified, but the allegation fits a broader ShinyHunters campaign targeting SaaS and education organizations through social engineering, credential theft, MFA bypass, and abuse of third-party access. The incidents underscore the group’s continued use of extortion-backed data theft to pressure victims and expose customer information.
Timeline
Apr 26, 2026
Udemy data is publicly leaked after ShinyHunters extortion attempt
In April 2026, data allegedly stolen from Udemy was publicly leaked following a ShinyHunters 'pay or leak' extortion attempt. The exposed dataset reportedly contained 1.4 million unique email addresses along with names, addresses, phone numbers, employer details, and instructor payout method information.
Apr 24, 2026
ShinyHunters posts alleged Udemy breach with extortion deadline
On its leak site, ShinyHunters claimed it had compromised Udemy and stolen more than 1.4 million records containing personal and internal corporate data. The post gave Udemy until 2026-04-27 to respond before the data would allegedly be leaked publicly, and the claim was unverified at publication.
Apr 24, 2026
ShinyHunters publicly releases alleged Carnival data
About one week after its extortion attempt, ShinyHunters publicly released a dataset allegedly tied to Carnival's Holland America Line Mariner Society program. The leak reportedly contained 8.7 million records and 7.5 million unique email addresses, including names, dates of birth, genders, and loyalty status information.
Apr 17, 2026
ShinyHunters claims Carnival breach and attempts extortion
In April 2026, ShinyHunters claimed it had stolen Carnival-related data and tried to extort the company to prevent publication. The group also alleged it had obtained customer data and terabytes of internal corporate data, though the full scope was not independently confirmed.
Apr 17, 2026
Carnival identifies phishing incident involving one user account
Carnival said it identified a phishing incident affecting a single user account and began assessing the scope of any unauthorized activity tied to Holland America Line's Mariner Society loyalty program.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Threat Actors
Organizations
Sources
3 more from sources like hibp breaches, cyberthrone and register security
Related Stories
ShinyHunters-Linked Extortion and Data Leak Claims Targeting Automotive Retailers
Data allegedly sourced from US automotive retailer **CarMax** was published online after a **failed extortion attempt**, according to a Have I Been Pwned breach entry. The exposed dataset reportedly includes **431,000 unique email addresses** along with **names, phone numbers, and physical addresses**, indicating a PII-heavy leak that could enable targeted phishing and identity-focused fraud. Separately, **CarGurus** was reported as being purportedly breached by the **ShinyHunters** hacking operation, with claims of **1.7 million corporate files** stolen and an extortion deadline tied to negotiations. The intrusion was alleged to have occurred via **single sign-on (SSO) codes obtained through voice phishing**, consistent with ShinyHunters’ prior claims of compromising other organizations using SSO-code access; CarGurus has been positioned as another extortion-driven theft where internal records and PII may be at risk of exposure.
1 months ago
ShinyHunters Data-Theft and Extortion Targeting CarGurus and Wynn Resorts
**ShinyHunters** is linked to multiple large-scale data-theft and extortion operations, including a breach at automotive marketplace **CarGurus** in February 2026. After an attempted extortion, the stolen CarGurus data was published publicly and reportedly included **12M+ email addresses** across multiple files, with additional exposed information such as names, phone numbers, physical and IP addresses, user account ID mappings, dealer account/subscription details, and auto finance pre-qualification application data (including application outcomes). ShinyHunters also claimed to have stolen **800,000+ records** from **Wynn Resorts** and demanded **22.34 Bitcoin (~$1.5M)** to prevent publication, setting a deadline and threatening further “digital problems” if unpaid. Data samples reviewed by a media outlet reportedly contained employee PII including **Social Security numbers**, names, emails, phone numbers, job details, salaries, start dates, and birthdays; the group alleged initial access occurred in **September 2025** via an **Oracle PeopleSoft vulnerability** combined with an employee’s credentials, and it did not clarify whether the credentials were obtained through social engineering or insider access-for-hire.
1 months ago
ShinyHunters Claims Okta Vishing Campaign and Leaks Data from Crunchbase, Betterment, and SoundCloud
The **ShinyHunters** extortion group claimed responsibility for a recent **Okta SSO voice-phishing (vishing)** campaign used to steal authentication codes and access victim environments. The group told reporters and researchers it used vishing to obtain Okta single-sign-on codes to compromise **Crunchbase** and **Betterment**, and then published alleged stolen data after the organizations reportedly rejected extortion demands; ShinyHunters also said additional victims exist and that more disclosures are forthcoming. ShinyHunters published alleged datasets for **Crunchbase, Betterment, and SoundCloud** on a newly launched leak site, asserting the dumps contain **PII** and large record counts (reported as **>20 million** for Betterment, **~2 million** for Crunchbase, and **~30+ million** for SoundCloud). **SoundCloud** stated it is aware of data published online allegedly taken from its organization and said its security team, supported by third-party experts, is reviewing the claim and the posted data; ShinyHunters asserted SoundCloud access was *not* obtained via SoundCloud’s Okta credentials. SoundCloud had previously confirmed a breach affecting roughly **20% of users** (about **28 million** based on public user counts), while Crunchbase and Betterment had not publicly responded at the time of reporting.
1 months ago