ShinyHunters Claims 350GB Stolen in EU Commission Breach

The European Commission confirmed a data breach on Friday after extortion gang ShinyHunters claimed it stole over 350GB of files from the organization's Amazon cloud infrastructure hosting Europa.eu. Commission staff detected the attack on March 24, three days before going public.

ShinyHunters posted an entry to its dark web leak site on March 26 advertising the stolen data. "Over 350 GB+ of data was compromised," the post read, "including data dumps of mail servers, databases, confidential documents, contracts, and much more sensitive material." The gang released a 90GB archive of files from compromised AWS accounts.

Over 350 GB+ of data was compromised, including data dumps of mail servers, databases, confidential documents, contracts, and much more sensitive material.

— ShinyHunters leak site post, March 26

Thomas Regnier, European Commission spokesperson, told reporters Monday that "our defense systems immediately detected the malicious activities and contained the incident." He said risk mitigation measures were implemented "to protect our services and data without disrupting the availability of our European websites."

Regnier told reporters the affected domains were limited to Europa.eu public sites, with internal infrastructure remaining secure. The Commission's official statement, published March 27, included a qualification Regnier avoided in the press briefing. "Early findings of the ongoing investigation suggest data was taken," the statement read.

How the breach happened

Amazon Web Services confirmed the intrusion "resulted from compromised customer account credentials, not from any vulnerability in AWS infrastructure or services," according to the company's statement. The breach targeted cloud accounts with weak or stolen login information rather than exploiting infrastructure vulnerabilities.

The group followed its standard operating procedure: targeting cloud accounts with weak or stolen credentials, exfiltrating everything accessible, posting samples publicly, and threatening to release more unless demands are met. ShinyHunters has claimed responsibility for dozens of high-profile breaches targeting corporations, government agencies, and cloud infrastructure providers including AT&T, Ticketmaster, and multiple healthcare organizations.

Europa.eu serves as the entry point for policy pages, press releases, and public information from EU institutions, all hosted on AWS cloud infrastructure. Separating public sites from internal systems is standard security practice, but the breach still exposed material the Commission did not intend to make public.

What was taken

Security researchers reviewing the leaked files report seeing directory listings for contracts, internal communications, and administrative documents. The 90GB sample posted by ShinyHunters includes file structures consistent with email server backups, database exports, and document repositories.

Commission officials have not disclosed which AWS services were accessed or what types of data were stored there. ShinyHunters had access for at least three days before detection, with the breach discovered March 24 but the gang posting its first leak site entry March 26 after extracting and processing the stolen data.

Timing matters. Attackers with legitimate credentials can browse cloud storage, copy databases, and download backups without triggering immediate alerts. AWS detection relies on abnormal access patterns, volume spikes, or geographic anomalies. Stolen credentials from accounts that normally accessed those services from a similar location could evade automated monitoring for days.

Second breach in six months

This marks the second major breach at the European Commission within six months, following a September 2025 incident that potentially exposed staff personal details without the Commission disclosing the extent of that compromise. The repeat breach raises questions about Commission cloud security practices, especially around credential management where AWS accounts are only as secure as the passwords protecting them.

Commission officials have not said whether the March breach involved the same AWS accounts as the September incident, whether multi-factor authentication was enabled on the compromised accounts, or how the credentials were obtained in the first place. Those details matter for anyone trying to learn from this incident.

Attackers compromise credentials three ways: phishing emails that capture login details when employees click malicious links, brute-force attacks on weak passwords, or finding access keys stored insecurely in code repositories or documentation. AWS publishes guidance on all three attack vectors, but enforcement depends on customers implementing the controls.

AWS responsibility vs customer responsibility

AWS operates under what it calls a "shared responsibility model" where Amazon secures the infrastructure while customers remain responsible for securing their data and access controls. Organizations using weak passwords or storing access keys insecurely create breaches AWS cannot prevent, with the cloud provider having no visibility into credential management outside the platform.

AWS documentation instructs customers to "enable multi-factor authentication, rotate access keys regularly, limit permissions through Identity and Access Management, and monitor CloudTrail logs for suspicious activity." The Commission has not confirmed which controls were in place.

Multi-factor authentication blocks most credential theft attacks. Phishers who steal a password still cannot log in without the second factor. The technology works, but customers must enable it and enforce it across all accounts with elevated permissions.

What happens next

Investigators are still working the case. Officials declined to say whether they will pay ShinyHunters to prevent further data release despite EU policy generally opposing extortion payments. The gang typically releases additional stolen data in waves if demands are not met. ShinyHunters' leak site entry suggests it holds far more than the 90GB sample already posted. Whether the remaining 260GB contains more sensitive material or redundant files remains unclear.

Regulatory scrutiny of Commission cloud security practices will likely follow, despite the Commission writing and enforcing data protection regulations across the EU while remaining technically exempt from GDPR penalties itself. Member states and the European Parliament will likely examine the incident despite that exemption.

For other organizations using AWS, the breach demonstrates that cloud security depends on credential hygiene rather than infrastructure hardening. Attackers logged in with legitimate credentials. No perimeter defense stops that. The European Commission learned this lesson through a breach that exposed 350GB of data it cannot get back.