ShinyHunters has claimed responsibility for a breach of the European Commission's AWS-hosted cloud infrastructure, asserting theft of over 350GB of data including mail server dumps, internal databases, confidential documents, and contracts. The Commission confirmed the cyberattack on March 27, 2026 — four days after detection on March 24 — stating that internal IT systems were unaffected but that early findings confirm data was taken. The investigation is ongoing.

What Happened

On March 24, 2026, the European Commission detected unauthorized access to the cloud infrastructure hosting its Europa.eu websites. The incident was contained quickly, with mitigation measures applied and no disruption to public-facing services.

On March 27, the Commission issued a public statement acknowledging the breach and confirming that potentially affected EU entities were being notified. The same day, ShinyHunters added the Commission to their Tor-hosted data leak site, claiming the theft of 350GB+ of data and providing screenshots as evidence to journalists.

Critically, the threat actor stated they intend to leak the data rather than demand ransom — a posture that shifts the threat from extortion to weaponized exposure. Amazon confirmed its own infrastructure was not compromised; the attack targeted the Commission's AWS account, not AWS itself.

What Was Taken

Per ShinyHunters' claim and preliminary Commission findings:

• Mail server dumps — internal email content from Europa.eu systems
• Database exports — scope and contents unconfirmed
• Confidential documents and contracts — potentially including inter-institutional and third-party agreements
• Other sensitive material — classification unknown pending full investigation

Volume: 350GB+. The Commission has not independently confirmed the full data inventory. Affected EU entities are being individually notified, suggesting the breach touched data belonging to multiple institutions hosted on the same shared infrastructure.

Why It Matters

This is a breach of the executive body of the European Union — an institution that handles sensitive policy deliberations, inter-state negotiations, procurement contracts, and communications with member governments. Even with internal systems untouched, the exfiltration of mail server content and confidential documents from cloud infrastructure represents a serious intelligence loss.

The leak-not-ransom posture is significant. ShinyHunters has operated this way before — the 2024 Ticketmaster breach followed a similar arc. When data is published rather than held for ransom, the window for containment closes immediately. Any EU counterpart, contractor, or member state whose data transited those systems is now potentially exposed.

The timing is also notable: this follows a January 2026 breach of the Commission's mobile device management infrastructure that exposed staff names and phone numbers. Two confirmed breaches of EU Commission cloud systems in under 90 days signals a persistent targeting campaign, not opportunistic access.

The Attack Technique

The precise initial access vector has not been confirmed. What is known: the breach involved compromise of an AWS account (not AWS infrastructure itself), pointing toward credential theft or IAM misconfiguration as likely entry points.

Possible vectors include: - Phishing targeting Commission staff with AWS console access - Exposed or leaked IAM access keys (long-lived static credentials stored in code, CI pipelines, or third-party tools) - Misconfigured S3 buckets or IAM roles granting overly broad permissions to external principals

Security experts have noted the incident is consistent with poor IAM hygiene — specifically, the use of IAM-generated long-lived keys rather than federated identity, and the absence of a break-glass admin strategy requiring multi-party authentication for privileged access.

What Organizations Should Do

1. Audit IAM credentials immediately. Rotate all long-lived AWS access keys. Migrate to IAM Identity Center (SSO) and eliminate static key usage wherever possible. Enforce MFA on all accounts with console access.

2. Implement break-glass controls for privileged AWS access. Root account credentials should be stored offline, with dual-person authorization required for activation. No single identity should have unrestricted access to cloud infrastructure.

3. Enable CloudTrail and GuardDuty if not already active. Detect unusual API calls, cross-region data access, and bulk S3 exfiltration patterns. Set alerts for large-volume GetObject calls.

4. Scope your blast radius. Identify what data lives in externally-hosted or cloud-hosted systems vs. internal infrastructure. Shared cloud hosting environments (like multi-tenant web platforms) should not store or process sensitive communications.

5. Accelerate incident notification timelines. The Commission detected the breach March 24 and disclosed publicly March 27. Three days is reasonable, but affected entities need earlier notification — especially when mail content may be involved.

6. Treat mail infrastructure as high-sensitivity. Email systems should not share cloud infrastructure with public-facing websites. If they do, enforce strict network segmentation, separate IAM boundaries, and dedicated logging.

Sources

• Network World — European Commission data stolen in a cyberattack on the infrastructure hosting its web sites
• Security Affairs — ShinyHunters claims the hack of the European Commission
• European Commission Press Release