Carnival Shows the Same Pattern Again: Social Engineering + Compromised MFA

Kevin Surace
3 minute read
Tokens customers are fully protected. Carnival’s customers were not.

Carnival Corp. has disclosed another cybersecurity incident, and the pattern should look familiar by now. According to Reuters, the company said an employee account was compromised in April after social engineering was used to deceive an employee and gain access to data. The exposed information included names, addresses, and government issued identification numbers.

Carnival says it quickly blocked the unauthorized activity, hired outside security experts, and is offering affected United States customers two years of credit monitoring. Those are responsible incident response steps after the fact. But the more important question is what allowed the attacker to authenticate as the employee in the first place.

Based on the public facts, this was almost certainly an identity failure. The attacker did not need to exploit a database vulnerability if they could convince the identity layer that they were the employee. If the compromised account had access to sensitive personal data, and if Carnival had MFA enabled as most large enterprises do, then the attacker likely got through MFA by manipulating the human side of authentication.

A Few Likely Paths

The first is a real time phishing relay. The employee is sent to a convincing fake login page. They enter credentials and then complete the MFA step, believing they are logging into the legitimate Carnival system. In the background, the attacker relays the credentials and MFA response to the real system. The final result is that the employee unknowingly authenticates the attacker.

The second is push approval abuse. The attacker already has the password, perhaps from prior phishing, credential theft, malware, or a dark web source. They trigger repeated login attempts until the employee approves a push notification, either out of confusion, fatigue, or because the attacker is simultaneously calling or messaging them with a believable pretext.

The third is help desk or account recovery manipulation. The attacker impersonates the employee or someone with authority, convinces support to reset credentials, enroll a new authenticator, or bypass a control. Once that happens, the attacker does not need to defeat MFA. The organization has effectively reissued trust to the wrong person.

All three paths have the same root cause. Legacy MFA still depends on a human making the right decision under pressure. It asks the employee to recognize the real site, reject the fake one, understand the login context, resist a convincing caller, and never approve the wrong prompt. That is not authentication. That is hope with an app attached.

This is why compromised MFA is now showing up again and again in major breaches. The system may have a second factor, but the second factor is still transferable, relayable, or socially engineerable. A code can be read aloud. A push can be approved. A recovery flow can be abused. A session can be handed to the attacker. Once the attacker has a valid session under a valid employee identity, downstream security tools may see normal access from a trusted account.

What Token changes at the authentication layer

TokenCore devices are designed to break that chain at the authentication layer. Token customers are already protected because TokenCore authentication does not rely on codes, push approvals, shared secrets, or user judgment. A login requires biometric FIDO2 authentication, hardware possession, domain binding, and physical proximity. The private key stays inside the TokenCore device. The biometric match happens on the device. The authentication request must match the legitimate registered domain. The device must be near the endpoint being used.

That matters technically.

If an attacker sends a Carnival employee to a spoofed login page, a TokenCore device will not sign the request for the wrong origin. The fake domain cannot receive a valid authentication response for the real Carnival domain. The relay fails because the cryptographic credential is bound to the legitimate relying party.

If an attacker has the employee’s password, it does not matter. There is no usable second factor to steal or replay. The attacker still needs the physical TokenCore device, the employee’s live fingerprint, and the proper domain bound authentication flow.

If an attacker calls the employee and asks for a code, there is no code. If they trigger a push approval, there is no push approval. If they try to enroll a new device through a weak recovery process, policy should require biometric assured identity before any privileged authenticator change is allowed.

This is the shift enterprises need to make. The issue is no longer whether employees have MFA. The issue is whether MFA can be socially engineered.

Carnival’s disclosure shows why that distinction matters. A compromised employee account with access to personal data is not a minor authentication failure. It is the front door opening to sensitive information. Once attackers are logging in as trusted users, the organization is already fighting from behind.

The better answer is to prevent the login from succeeding in the first place.

TokenCore devices protect customers every hour by making the common social engineering playbook unusable. No code to relay. No push to approve. No password reset that should bypass biometric assured identity. No fake domain that can trick the authenticator into signing. No remote attacker who can satisfy proximity and fingerprint requirements.

So the question after Carnival is not simply what happened after the breach was discovered.

The real question is why any enterprise handling sensitive personal data is still relying on MFA that can be relayed, reset, or socially engineered.

And yes, Carnival should call Token.

Stay Identity Assured

Subscribe to The Assured Identity Brief for sharp insights on identity security, authentication, and the threats security leaders must stay ahead of.