7.5M Cruise Customers Exposed & a Critical CrowdStrike Bug You Should Patch Now

Two stories landed today that matter whether you're a casual cruiser or running a security operations center: a massive consumer data leak from one of the world's biggest cruise brands, and a critical bug in a tool many enterprises rely on to spot attackers in the first place. Here's what happened and what it means for you.

ShinyHunters Drop 7.5 Million Carnival Cruise Customer Emails

Have I Been Pwned has flagged 7.5 million email addresses tied to Holland America Line's Mariner Society loyalty program after the notorious ShinyHunters group published the data when ransom negotiations broke down. Beyond emails, the leak reportedly includes names, birth dates, and loyalty membership details — exactly the kind of information scammers love for crafting convincing phishing emails and identity theft attempts.

Carnival is downplaying the incident as a phishing attack against a single user account, but ShinyHunters claims to be sitting on terabytes of corporate data, so the real blast radius is still unclear. If you've ever sailed with Holland America (or any Carnival brand), assume your contact info is in criminal hands and be extra suspicious of any "Carnival" or "loyalty rewards" emails landing in your inbox.

Read more

Critical CrowdStrike LogScale Flaw Lets Attackers Read Sensitive Files

CrowdStrike has patched CVE-2026-40050, a critical unauthenticated path-traversal bug in its LogScale self-hosted cluster API that lets remote attackers read arbitrary files off the server — think configuration files, credentials, and other internal secrets that should never leave the box. The flaw was caught through internal testing with no signs of in-the-wild exploitation, and CrowdStrike's SaaS and Next-Gen SIEM customers were already protected by network-layer mitigations rolled out on April 7.

Why this matters even if you don't run CrowdStrike: log management platforms sit at the heart of a security team's ability to detect intruders. A compromise there could let attackers silence alerts, erase their tracks, and pivot deeper into a network undetected. If your organization runs self-hosted LogScale, this is a drop-everything-and-patch moment.

Read more

Stay ahead of threats with GOCO Security at gocosecurity.com.