-
New evidence shows the Eurail data breach affected about 308,000 U.S. individuals, including 242 New Hampshire residents.
-
The December 2025 security incident exposed lots of sensitive traveller information, names and passport numbers inclusive.
-
Eurail earlier confirms that the data is already circulating for sale on the dark web and financial and health data may be part of the dump.
It has now been confirmed that the Eurail data breach that took place late last year affected thousands of Americans who were travelling around Europe during the holidays. The compromise exposed personal info of travellers, passport numbers included.
Newly uncovered evidence suggests the extent of damage might be beyond what the rail pass company earlier disclosed.
Details of the Eurail Data Breach
This breach happened around late December 2026 but the reports only got out early January. Some unauthorized individuals broke into Eurail’s network and made away with files containing a lot of customer data. The Netherlands-based company, which runs the official online sales platform for Eurail and Interrail passes, spotted unusual activity soon after.
Eurail quickly activated its incident response team. The company invited external cybersecurity experts and also informed the authorities about what happened. During investigations, they found that the actual file transfer was done on December 26. But the company only made its final determination about the exposed data this year on February 25.
It took another month to start notifying victims. Finally, Eurail began reaching out to affected individuals and state authorities on March 27. They sent the breach notification to attorneys general in US states where the affected individuals reside, including California, New Hampshire, Oregon, and Vermont. A public notice also went up on the European Youth Portal.
What Hackers Stole and Where It Ended Up
Here is the confirmed list for U.S. individuals: names and passport numbers. That alone is plenty dangerous for identity theft. But earlier findings point to a much larger exposure.
The company previously confirmed that data from this incident appeared for sale on the dark web. Samples even showed up on Telegram, the encrypted messaging app. That earlier dataset reportedly included bank account IBANs, email addresses, phone numbers, and health information on top of names and passport details.
The breach may also impact customers who bought passes through partner channels. People who participated in the DiscoverEU program also got alerts that their passport and financial information might have leaked.
Safety Measures for Those the Breach Affected
Notably, Eurail mentioned they’ve terminated the unauthorized access and beefed up their internal security measures. Nonetheless, they continue working with law enforcement and cyber experts and are still looking into the incident.
Any person who, once upon a time, bought either Eurail or Interrail pass should keep their eyes open. Ignore unsolicited emails, text messages, or calls asking from someone posing as Eurail rep and requesting your personal info.
Never relent in monitoring your bank accounts. Further, review your credit reports every now and then. For those in the US, you’re eligible for a free annual credit report from any of the three major bureaus.
These precautions are essential for everyone, not just Eurail customers, as 26 million records from across the U.S., UK, and Australia are currently being advertised on the dark web, it’s likely that many more people than just Eurail’s customers have had their personal information compromised.
If you suspect any unusual activity or think someone might be using your information for anything illicit, call on the Federal Trade Commission. You may also report to the attorney general’s office or the law enforcement in your state.
This breach shows how travel platforms holding identity documents become prime hacker targets. With passport numbers in the wild, affected travelers face risks that could last for years.
