ShinyHunters week - Zara, Rituals, Carnival, Amtrak. 38M records leaked
May 5, 2026
· #cybersec #shinyhunters #zara #rituals #carnival #hack
ShinyHunters week - Zara, Rituals, Carnival, Amtrak. 38M records leaked
ShinyHunters - the dark-web hacker group - published data from about 40 organizations in one wave of leaking. Over 38 million records. If you shopped at Zara, used Rituals, sailed Carnival - your data is probably there.
April 23-29, 2026 (peak). ShinyHunters pushed the data to a public leak site “indefinitely” - it stays there forever.
Confirmed victim list
- Carnival Corporation (cruise) - 8.7M records per ShinyHunters claim / 7.5M unique emails per HaveIBeenPwned (Holland America Line subsidiary)
- Inditex/Zara - confirmed unauthorized access at a “former third-party technology provider” (transaction databases). ShinyHunters claim: 192GB BigQuery via Anodot (unverified)
- Rituals (cosmetics, Netherlands) - 41M membership database (affected count undisclosed - Rituals won’t say)
- 7-Eleven - claim 600k records via Salesforce (unverified publicly)
- Amtrak - 9.4M Salesforce records (Cybernews)
- McGraw-Hill - 40-45M Salesforce records (disputed)
- ADT - 5.5-10M records (ShinyHunters claim / HaveIBeenPwned)
- Mytheresa, Pitney Bowes, Hallmark - the rest
What “records” means
Email. Address. Phone number. Purchase history. Which is everything needed to hack you further. Email phishing. SMS scams. Personalized fraud.
Why it matters to you
Your data is among the 38 million. If you shopped at Zara, used Rituals, sailed Carnival cruise. If not - probably they just haven’t released your store yet.
This isn’t an attack on a corporation. It’s an attack on YOU.
My perspective
What to do now:
- Check haveibeenpwned.com - enter your email, see which database you’re in
- Enable 2FA everywhere - email, banks, social media. Without 2FA = you’re exposed
- Unique passwords per service - password manager (1Password, Bitwarden, KeePass)
- Expect phishing emails - over the next 6 months, increased attempts
Sources
- Cybernews - “ShinyHunters adds Zara, Carnival, 7-Eleven to growing ransomware leak list” (April 2026)
- TechRadar - “ShinyHunters exposes data on Mytheresa, Zara, Carnival, 7-Eleven - over 40 organizations” (Apr 23, 2026)
- TechRadar - “‘They don’t care’: ShinyHunters strike again as hackers claim to have pinched 7.5 million Carnival cruise emails” (Apr 27, 2026)
- TechCrunch - “Cosmetics giant Rituals confirms data breach of customer membership records” (Apr 22, 2026)
- CyberInsider - “Inditex confirms third-party breach as hackers threaten Zara data leak” (Apr 17, 2026)
- Tom’s Guide - “5.5 million hit in latest ADT data breach”