Leak at Interrail
A December 2025 cyberattack on Eurail B.V., operator of the Interrail and Eurail rail passes, exposed personal data of roughly 308,000 travellers — including names, contact details, dates of birth and passport numbers — which by 2026 was being sold on the dark web.
- Victim
- Interrail
- records
- 308.8K
On 3 May 2026, Interrail — the cross-border rail pass brand operated by the Utrecht-based Eurail B.V. — remained in the spotlight over a data breach affecting roughly 308,000 travellers. An unauthorised party had accessed part of the customer database during a cyberattack in December 2025; Eurail disclosed the incident publicly in January 2026, and by spring 2026 the stolen records were being offered for sale on the dark web.
The intrusion gave attackers access to personal data of people who had bought an Interrail or Eurail pass directly or through associated distributors. Eurail says it does not store images of passports, but the exposed fields are highly sensitive for identity-fraud purposes.
Exposed data categories included:
- Full name (first and last name)
- Email address
- Postal address
- Phone number
- Date of birth and gender
- Passport number, issuing country, issue date and expiry date
- Travel companion details
Eurail confirmed that the exfiltrated database was put up for sale on the dark web and that a sample dataset was published on Telegram; everyone appearing in that sample was notified directly. The company says it secured its systems, added further safeguards and is investigating with external cybersecurity specialists. Affected travellers were urged to watch for phishing and suspicious account activity, and some passport-holders were even advised to consider replacing their passports. The investigation remains ongoing.
Sources
- bleepingcomputer.comhttps://www.bleepingcomputer.com/news/security/eurail-says-stolen-traveler-data-now-up-for-sale-on-dark-web/
- theregister.comhttps://www.theregister.com/2026/01/14/eurail_breach/
- next.inkhttps://next.ink/brief_article/interrail-fuite-de-donnees-personnelles-avec-numero-de-passeport-date-dexpiration/
- helpnetsecurity.comhttps://www.helpnetsecurity.com/2026/01/15/eurail-interrail-data-breach/