Over 300k Interrail Users Advised to Replace Passports After Eurail Data Leak Appears on Dark Web

Holidaymakers across Europe received notices from Eurail, the Dutch operator of Interrail passes, advising them to cancel compromised passports and apply for new ones. The UK Passport Office has instructed at least one holder to cancel the document to prevent fraudulent use, noting a replacement fee of £102. Similar advice came from Danish authorities, where replacement costs exceed £200. Affected users described the situation as an "absolute nightmare" and expressed fear about identity misuse.

- Personal data of over 300,000 travellers—including passport numbers, full names, phone numbers, email and home addresses, and dates of birth—was accessed in December. - Eurail stated that the copied data was being sold on the dark web and a sample dataset had been published on Telegram. - The company urged customers to remain vigilant for suspicious calls, emails or texts, to update passwords for the Rail Planner app, and to change credentials for email, social media and banking accounts. - Some users have requested compensation under Article 82 of the GDPR, citing financial and emotional harm. - Eurail confirmed it is still notifying all affected individuals and said those whose data appeared in the Telegram sample have been informed.

The breach exposes travellers to risks of identity theft, fraudulent passport use, and targeted phishing. While Eurail has not disclosed the exact attack vector, incidents involving credential theft or web‑application vulnerabilities often involve techniques such as T1078 (Valid Accounts) and T1566.001 (Spearphishing Attachment). Organizations should enforce multi‑factor authentication, monitor for credential reuse, and deploy dark‑web monitoring services to detect leaked data early.