European Commission Data Breach Claimed by ShinyHunters

The European Commission confirmed a data breach on March 27, days after attackers accessed the cloud infrastructure hosting its public-facing Europa.eu platform. The European Commission data breach, detected on March 24, exposed data from at least one Amazon Web Services account and has since been claimed by ShinyHunters, a well-established data extortion group with a long record of high-profile attacks.

What the Commission Confirmed

Officials confirmed the attack struck cloud infrastructure used to host EU institutional websites on the Europa.eu platform. The incident was detected quickly, and containment steps were applied without disrupting website availability.

In its official statement, the Commission said early findings suggest data was taken from those websites and that affected Union entities are being notified. Internal systems were not compromised in the attack, and no disruption to the Europa websites was reported.

Amazon Web Services confirmed separately that its own infrastructure was not breached. The vulnerability was within the Commission's cloud account, not the underlying platform.

ShinyHunters Claims 350GB of Stolen Data

ShinyHunters listed the European Commission on its dark web leak site on March 26, claiming to have stolen more than 350GB of data. The group described the haul as including mail server dumps, internal databases, confidential documents, and contracts.

Within days, the group published an archive of over 90GB of files allegedly taken from the compromised cloud environment. The listing was updated on March 28, suggesting ongoing activity or additional data additions after the initial post.

Reported contents of the leaked data include emails and attachments, a full SSO user directory, DKIM signing keys, AWS configuration snapshots, and internal admin URLs. The group stated it has no intention to demand a ransom and plans to leak the full dataset online.

Why DKIM Keys and AWS Configs Matter

The reported inclusion of DKIM signing keys in the breach carries significant downstream risk. DKIM keys are used to authenticate outgoing email from a domain. With valid keys, an attacker can send messages that pass standard email authentication checks, making them appear to originate legitimately from EU Commission domains.

Combined with AWS configuration snapshots, which can expose cloud architecture details and access patterns, the breach gives adversaries material that could support follow-on attacks, including targeted phishing campaigns directed at EU member states, partner institutions, or Commission staff.

The Commission's internal systems were not affected, but the data taken from its external cloud environment is operationally sensitive.

Staff Data Exposure

The breach also affected Commission employee data. Unauthorized access to staff names and mobile phone numbers was confirmed, though no employee devices were compromised. The full scope of personnel data exposure remains under investigation.

The Second Breach This Year

This is not the first time the Commission has faced a serious security incident in 2026. In February, the Commission disclosed that its mobile device management platform had been compromised, with the attack traced back to January 30. That incident was contained within nine hours, but attackers may have accessed some staff contact data.

The January attack is linked to a broader pattern targeting European institutions through code-injection vulnerabilities in Ivanti Endpoint Manager Mobile software. Similar attacks hit the Dutch Data Protection Authority and a Finnish government agency in the same period.

Both incidents occurred after the Commission proposed new cybersecurity legislation in January 2026 aimed at strengthening EU defenses against state-backed actors and cybercrime groups. The Council of the EU also sanctioned three Chinese and Iranian companies in March for orchestrating attacks on member state critical infrastructure.

ShinyHunters' Recent Activity

ShinyHunters has been active across multiple sectors in recent months. The group has claimed breaches at Infinite Campus, CarGurus, Canada Goose, Panera Bread, Betterment, SoundCloud, and Match Group, the parent company of Tinder, Hinge, and OkCupid. In 2024, AT&T paid a member of the group $370,000 to delete customer data following a breach that exposed call and text records for tens of millions of users.

The group's approach consistently targets cloud environments and SSO credential infrastructure, a pattern that fits the method used against the Commission's AWS account.

Investigation Ongoing

The Commission says its investigation into the full technical impact of the breach continues. It has committed to notifying all affected entities and applying findings from the forensic analysis to harden its cloud architecture going forward.

For organizations that regularly communicate with EU institutions, the reported theft of DKIM keys and internal directory data is a reason to apply additional scrutiny to any inbound email appearing to come from Commission domains in the weeks ahead.