A major data breach at Eurail exposed the personal information of 308,777 people, including names and passport numbers belonging to travelers who purchased rail passes for journeys across Europe.
The Netherlands-based company discovered unauthorized access to its systems after an attacker copied files from its network on December 26, 2025. Eurail publicly acknowledged the security incident on January 10, 2026, and later filed notices with regulators confirming the number of affected individuals.
The risk became more serious after Eurail confirmed that stolen information had been offered for sale on the dark web and that a sample of the dataset had been published through Telegram. Customers whose details appeared in the sample were contacted directly when Eurail had usable contact information.
What Information Was Exposed?
Regulatory notifications said that the stolen files included customers’ names and passport numbers. Other affected records reportedly contained dates of birth, telephone numbers, email addresses and home addresses.
The exact information exposed was not identical for every person. The data available would have depended on the information a customer supplied while buying a pass, managing a journey or contacting Eurail’s support services.
Passport information creates particular concern because it is a durable identity record. A password can be changed quickly, while a passport number normally remains the same until the document expires or is replaced.
Eurail said ordinary payment-card information was not among the primary data identified in its standard customer breach notices. However, a separate group connected with the European Union’s DiscoverEU travel program may have had more sensitive information affected.
DiscoverEU Participants May Have Lost Additional Data
The breach also affected information associated with DiscoverEU, an EU initiative that provides selected young people with opportunities to travel around Europe by rail.
According to notices cited in breach reporting, information connected with some DiscoverEU participants may have included names, ages, passport details, passport copies, home addresses, bank-account numbers and limited health information.
This does not mean every one of the 308,777 affected people had banking, medical or passport-image data stolen. The broader set of sensitive records appears to relate to particular DiscoverEU applications or administrative processes.
People who received a notification should read it carefully rather than relying only on general reports. Eurail’s letter should indicate which categories of information may have applied to that individual.
Eurail and Interrail Customers Were Both Potentially Affected
Eurail B.V. operates the Eurail and Interrail rail-pass systems.
Eurail passes are generally marketed to travelers who live outside Europe, while Interrail passes are intended primarily for European residents. Both products allow travelers to use participating rail and ferry networks across numerous European countries.
Because the same company manages the systems and customer information behind both brands, the incident was not limited only to people who purchased a pass carrying the Eurail name.
Someone who previously travelled using Interrail, Eurail or DiscoverEU should not dismiss a breach notification simply because the message uses Eurail B.V. as the company name.
Eurail maintains an official data-security information center explaining the incident and the actions available to customers.
How the Breach Happened
Eurail said an unauthorized actor entered its systems and transferred files from its network on December 26, 2025.
The company has not publicly provided a complete technical explanation of how the attacker gained entry. It has also not confirmed all of the internal systems, software weaknesses or credentials involved.
A person claiming responsibility later alleged that a much larger collection of company material had been stolen, including database backups, customer-support records and source code. These claims came from the alleged attacker and should not be treated as independently verified descriptions of the entire breach.
Eurail reported the incident to European data-protection authorities and began notifying regulators and affected customers in other countries as the investigation clarified the scale of the exposure.
Why Passport Data Is Valuable to Criminals
A passport number alone normally is not enough to travel under another person’s identity or gain direct access to a bank account.
The danger increases when it is combined with a full name, date of birth, address, email address and telephone number. Together, these details can help a criminal create convincing phishing messages, impersonate the traveler or answer identity-verification questions.
A scammer could send a message that mentions a genuine Eurail booking, destination or travel companion. Because the email contains accurate personal details, the recipient may be more likely to believe that it came from Eurail, a railway company, a border authority or a travel insurer.
The attacker may then ask the victim to confirm a password, submit a passport image, enter payment details or pay a supposed rebooking or security fee.
Stolen identity data may also remain useful long after the original breach. Criminal databases are regularly combined with information exposed in other incidents, allowing attackers to build more complete profiles of individuals.
The Stolen Information Was Published and Offered for Sale
Eurail confirmed that data copied during the incident was advertised for sale on the dark web. A sample was also published on Telegram, demonstrating that at least part of the stolen material had moved beyond the attacker’s private control.
Once personal information is publicly shared or sold to several criminal groups, the original organization cannot reliably retrieve every copy.
Removing one advertisement or online post does not guarantee that the data has disappeared. Other people may already have downloaded, duplicated or resold it.
This is why affected travelers should remain cautious even months after the initial breach announcement. A phishing attempt connected with the stolen information may not arrive immediately.
Should Travelers Replace Their Passports?
There is no single answer that applies to every affected traveler.
Some customers in the United Kingdom and Denmark reportedly chose or were advised to cancel and replace their passports after learning that their information had been compromised. However, the UK Home Office said the final decision remained with individual passport holders and noted that modern passports contain security technologies intended to make forgery more difficult.
A stolen passport number is not the same as the physical passport being lost or stolen. The correct response may depend on the country that issued the passport, the exact information exposed and whether there is evidence of attempted misuse.
Affected people should contact their country’s official passport authority and explain that their passport details were included in a confirmed data breach. They should use contact information from an official government website rather than a number contained in an unexpected email.
Travelers with an upcoming international journey should also consider the processing time and cost of obtaining a replacement before cancelling a currently valid document.
Change the Rail Planner Password
Eurail advised affected customers to change passwords associated with the Rail Planner app and related accounts.
The new password should be unique and should not be used for email, banking, social media or another travel service.
A person who reused the same password elsewhere should change it on every affected account. Criminals commonly test exposed email-and-password combinations against other popular websites in a process known as credential stuffing.
The email account connected with Eurail deserves particular attention because access to email can allow an attacker to reset passwords for several other services.
Multi-factor authentication should be enabled wherever available. An authentication app or security key generally provides stronger protection than relying only on text-message codes.
Be Suspicious of Eurail-Themed Messages
Affected travelers should expect criminals to take advantage of publicity surrounding the breach.
A fraudulent message may claim that the recipient must verify an account, protect a passport, claim compensation, recover a rail pass or confirm a future reservation.
The communication could include the person’s name or other genuine information taken from the stolen files. Accurate personal details do not prove that the message is legitimate.
Customers should avoid opening links or attachments in unexpected messages. They should instead visit the official Eurail website or contact the company through its published support channels.
Eurail has specifically advised customers to remain alert for suspicious calls, emails and text messages seeking personal information.
Monitor Financial and Online Accounts
People whose banking information was not exposed can still face financial fraud through impersonation and phishing.
Affected customers should review bank and credit-card activity regularly and enable alerts for payments, transfers and account changes. An unfamiliar transaction should be reported to the financial institution immediately.
Email accounts should be checked for unexpected forwarding rules, login alerts or password-reset messages. Social-media and shopping accounts may also contain saved payment details or personal information useful to an attacker.
People in countries that support credit reports, fraud alerts or security freezes can consider using those protections, particularly when several pieces of identity information were exposed.
The correct process differs by country, so customers should use their national consumer-protection, banking or credit-reporting authorities for instructions.
Watch for SIM-Swap and Account-Recovery Attempts
A stolen phone number, name and date of birth can potentially help criminals attempt a SIM-swap attack.
In this type of fraud, an attacker persuades or tricks a mobile provider into moving the victim’s telephone number to another SIM card. The criminal can then receive calls and text messages, including some account-recovery codes.
Customers can reduce this risk by placing a PIN or account password with their mobile carrier. They should contact the provider immediately if their phone suddenly loses service without a clear technical reason.
Text-message authentication remains better than using only a password, but an authenticator app or security key provides stronger protection against SIM swapping when those options are supported.
Travelers Should Preserve the Notification
Anyone who receives an official breach notice should keep a secure copy.
The notification can document that the person’s data was involved if identity fraud occurs later. It may also be relevant when contacting a passport authority, bank, insurer, regulator or legal adviser.
Customers should record suspicious messages, transactions and account activity with dates and screenshots. They should avoid communicating extensively with suspected scammers, but evidence can help investigators connect fraud to the broader breach.
European residents may also contact the data-protection authority in their country if they have concerns about how Eurail handled their information or breach notification.
How to Confirm a Breach Email Is Genuine
The announcement itself can be copied by scammers.
A fake email may claim to offer compensation or identity-protection services while directing the recipient to a fraudulent login page.
Travelers should compare the sender domain carefully but should not rely on it alone, because email addresses can be spoofed. They should avoid calling telephone numbers or visiting websites provided only within an unexpected message.
The safer approach is to open Eurail’s website manually and access its official security-incident guidance.
A legitimate breach notice should not require the customer to send a password, disclose a complete payment-card number or pay a fee to secure the account.
What Eurail Says It Has Done
Eurail said it investigated the unauthorized access, reported the incident to relevant regulators and began contacting affected individuals.
The company also said that protecting customers and reducing potential harm remained its priority. It encouraged users to update passwords, monitor their accounts and remain cautious about suspicious communications.
Eurail has not publicly disclosed every technical security change made after the breach. Organizations often limit such detail while investigations, legal reviews and infrastructure changes are continuing.
The breach nevertheless raises questions about why sensitive identity information was retained, how long it was stored and whether stronger access controls could have limited the amount of data available to the attacker.
What Affected Travelers Should Remember
The Eurail breach affected 308,777 people and exposed at least names and passport numbers. Some records also contained contact details, birth dates and home addresses, while particular DiscoverEU participants may have had additional sensitive information involved.
The stolen data was not merely viewed inside Eurail’s systems. It was copied, offered for sale on the dark web and partially published through Telegram.
Affected travelers should change reused passwords, secure their email and mobile accounts, monitor financial activity and be highly cautious of messages that use genuine travel or passport information to appear trustworthy.
Replacing a passport may be appropriate in some cases, but travelers should first obtain guidance from the official authority that issued their document.
The breach does not mean that every affected person will experience identity theft. It does mean that exposed information may remain available to criminals for years, making continued awareness more important than a one-time password change.