The European Commission has confirmed that attackers may have exfiltrated data from the cloud infrastructure hosting its Europa.eu platform. The executive body disclosed the incident on March 27, 2026, after detecting the intrusion on March 24. Extortion group ShinyHunters has since claimed responsibility, alleging the theft of more than 350GB of sensitive Commission data, including mail server dumps, databases, contracts, and internal documents.

What Happened

The Commission detected unauthorized activity in its Europa.eu cloud environment on March 24, 2026, and publicly confirmed the breach three days later. Officials state they took immediate containment steps, ensuring Europa websites remained available throughout the response. According to the Commission, internal systems were not affected, but early findings of the ongoing investigation indicate data was taken from the affected websites. EU entities potentially impacted by the incident are being notified directly.

Reports indicate the compromised infrastructure was hosted in the Commission's AWS environment, though AWS has confirmed its services themselves were not compromised, suggesting the failure was at the configuration or identity layer rather than the cloud provider. Unconfirmed social media chatter has also implicated EU cybersecurity agency ENISA as a possible secondary victim.

What Was Taken

ShinyHunters has posted screenshots on X claiming to hold over 350GB of stolen Commission material. According to the group's claims and analysis from the International Cyber Digest, the dataset reportedly includes:

• Mail server dumps and full email archives
• DKIM signing keys, which could enable convincing email spoofing
• Database exports and confidential documents
• Contracts and procurement records
• Internal admin URLs
• Data from the NextCloud content collaboration platform
• Records from Athena, the EU military financing mechanism
• A potentially complete single sign on (SSO) user directory
• Personally identifiable information (PII) of Commission employees

Why It Matters

The exposure of DKIM signing keys is particularly severe: with valid keys, attackers can forge cryptographically authenticated emails appearing to originate from europa.eu domains, enabling high credibility phishing against EU member states, contractors, and partner agencies. A leaked SSO directory compounds this risk by giving adversaries a verified target list and account structure for follow-on credential attacks.

The alleged inclusion of Athena data, the mechanism that funds common EU defense operations, raises geopolitical stakes well beyond a routine data breach. Combined with internal admin URLs and mail archives, the trove offers both immediate extortion leverage and long term intelligence value to state-aligned actors who routinely purchase or trade ShinyHunters dumps.

The Attack Technique

The Commission has not disclosed the initial access vector, and ShinyHunters has not detailed how it obtained the data. However, the group's recent operating pattern provides strong indicators. Throughout 2025, ShinyHunters ran a sustained campaign harvesting SSO credentials and Salesforce data from Google, Chanel, Pandora, Panera Bread, Match Group, and dozens of other organizations. Earlier in 2026, the group pivoted to targeting Adobe Experience Cloud customers.

The group's signature technique is voice phishing (vishing): operators impersonate internal IT helpdesk staff and call employees, walking them through "verification" workflows that route credentials and MFA codes into spoofed corporate portals. Once inside, attackers harvest OAuth tokens, pivot through SSO, and bulk export connected SaaS and cloud datastores. The reported theft of a full SSO directory and AWS-hosted assets at the Commission is consistent with this playbook.

What Organizations Should Do

1. Rotate DKIM, SSO, and API keys. Any organization that has received europa.eu correspondence should treat current DKIM trust as suspect; defenders inside affected entities must rotate signing keys, OAuth client secrets, and SSO certificates immediately.
2. Harden the helpdesk against vishing. Require call-back verification through a known internal channel before any password reset or MFA re-enrollment, and never authenticate users via inbound calls.
3. Enforce phishing resistant MFA. Replace SMS and TOTP with FIDO2 security keys or platform passkeys for all administrators and SSO console users to neutralize ShinyHunters' credential capture portals.
4. Audit cloud identity perimeter. Review IAM roles, federated identity providers, and conditional access policies in AWS, Azure, and GCP tenants; restrict programmatic access to known IP ranges and short lived credentials.
5. Monitor for inbound europa.eu spoofing. Tighten DMARC enforcement and flag unusual senders from EU institution domains until DKIM key rotation is confirmed.
6. Hunt for ShinyHunters TTPs. Look for anomalous OAuth grants, unusual data egress to Mega or anonymous file hosts, and bulk Salesforce or NextCloud exports occurring outside normal business hours.

Sources: European Commission Confirms Cloud Data Breach