ShinyHunters Claims 350GB Data Theft from European Commission AWS Account

4 Min Read / March 30, 2026

The European Commission has confirmed a cyberattack affecting cloud infrastructure linked to its Europa.eu web platform, after a threat actor claiming to be ShinyHunters alleged it had stolen more than 350GB of data. The Commission discovered the breach on 24 March 2026, affecting cloud infrastructure that hosts its Europa.eu platform.

According to Thomas Regnier, European Commission spokesperson, the attack “affected part of our cloud infrastructure” but internal Commission systems remained untouched. The incident affected cloud infrastructure hosting the Commission’s web presence on the Europa.eu platform with reporting indicating that at least one AWS account was involved. Early findings suggest data was accessed, though the Commission has not specified what information was taken.

ShinyHunters posted their claim on 28 March, describing the stolen data as “mail server dumps, databases, confidential documents, contracts and much more sensitive material. ShinyHunters posting described the material as including mail server dumps, databases, confidential documents and contracts but the authenticity and full scope of the alleged leak had not been independently verified in the provided reporting.

The Same Group Behind AT&T and Ticketmaster Breaches

ShinyHunters has been responsible for some of the most significant data breaches in recent years. In April 2024, the group stole data on over 110 million AT&T customers, prompting the telecom giant to pay a $370,000 ransom. They also breached Ticketmaster via a Snowflake campaign and hit major brands including Santander Bank, PowerSchool and Crunchbase.

Recent reporting describes the group as relying heavily on social engineering and voice-phishing to steal credentials and gain access to SaaS environments. Google’s Threat Intelligence Group has tracked their expansion across multiple cloud platforms, noting their focus on SaaS environments like Salesforce, Okta and Microsoft 365.

Law enforcement has made some headway against the group. French authorities arrested four members in June 2025 and US prosecutors charged Massachusetts student Matthew Lane for the PowerSchool breach. Despite arrests linked to the group in 2025, ShinyHunters-linked activity has continued. In this case however, the attack vector remains unclear in the provided reporting

AWS Denies Security Incident

Amazon Web Services has denied any security incident within its cloud environment suggesting the attackers gained access through compromised Commission credentials rather than exploiting AWS infrastructure. This matches ShinyHunters’ established pattern of targeting customer accounts rather than cloud platform vulnerabilities.

The Commission’s swift containment prevented service disruption to Europa.eu websites and the separation between public-facing cloud infrastructure and internal networks limited the breach’s scope. But the incident raises questions about access controls for high-value cloud accounts hosting sensitive government data.

This is the Commission’s second confirmed breach in two months. On 30 January 2026, attackers compromised the Commission’s mobile device management system, potentially accessing staff names and phone numbers before the incident was contained within nine hours.

The Data Is Already Being Circulated

Multiple cybersecurity monitoring services have confirmed the dark web listing matches ShinyHunters’ known infrastructure and posting patterns. The provision of a cryptographic hash suggests the attackers are confident in their data’s authenticity and are prepared for independent verification.

The Commission is notifying “Union entities” that may have been affected, though it has not identified which specific organisations or datasets are involved. The scope of potential exposure depends on what information was stored on the compromised Europa.eu cloud infrastructure beyond public-facing website content.

The incident timing is particularly awkward for the Commission which rolled out a new Cybersecurity Package in January 2026 to strengthen EU defences against large-scale cyber threats. The back-to-back breaches demonstrate that even organisations actively advancing cybersecurity policy struggle to secure their own cloud environments against determined adversaries.