EURAIL , the Netherlands-based travel company, is notifying over 300,000 people that their personal information was stolen in a December 2025 data breach. The attackers stole names and passport numbers, after breaching Eurail’s network and taking files containing basic identity and contact details, with a hacker later boasting on a surface web site about stealing roughly 1.3 terabytes of data from Eurail’s AWS S3, Zendesk, and GitLab instances.
In early March Eurail confirmed the data had been offered on the dark web, and that a sample dataset was published on a Telegram channel; Eurail also said it does not store bank or credit card information, nor visual copies of passports. Last week the company filed breach notifications with the Attorney General’s Offices in several US states, and the Oregon Attorney General’s Office states that the data breach impacts 308,777 people. The article notes that Eurail began disclosing the breach in January after initially warning affected customers to expect notifications.