Eurail B.V., the company behind Eurail and Interrail train passes, recently faced a significant data breach, compromising sensitive information from an undisclosed number of travelers. The breach was acknowledged on January 10, 2026, with the company starting to notify affected customers shortly after. Initial findings indicate that attackers accessed personal details such as names, dates of birth, email addresses, home addresses, phone numbers, and passport or ID information, including expiration dates. The breach potentially affects customers who purchased a Eurail pass or made seat reservations, including those who bought passes through partner channels. Particularly concerning are the additional risks for DiscoverEU participants, whose data may include bank account numbers, photocopies of identification, and health-related information. While the exact method of the attack remains unclear, Eurail has reportedly secured the affected systems. They continue to monitor for any misuse of the compromised data without evidence of public disclosure so far. To mitigate risks, Eurail has reset access credentials for customer accounts and urged users to create new passwords. They recommend vigilance against phishing attempts and identity theft, advising customers to be cautious of unsolicited communications. Users are also encouraged to change passwords linked to other accounts and to watch for unusual transactions in their banks. The situation remains under investigation, with Eurail committed to informing customers directly if their data was accessed.