Key Findings

• ShinyHunters claims to have breached European Commission systems and stolen over 350GB of data

• Alleged data includes mail server dumps, databases, confidential documents, and contracts

• The European Commission confirmed detecting a cyberattack on March 24 affecting cloud infrastructure hosting Europa.eu websites

• Internal systems were not compromised according to the Commission's investigation

• AWS denies any security incident occurred within its cloud environment

• No independent verification of the stolen data has been possible yet

• ShinyHunters is a known cybercriminal group with a history of targeting major enterprises

Background

The European Commission detected a cyberattack on March 24 targeting cloud infrastructure that hosts its Europa.eu websites. The incident was contained quickly with mitigation measures applied and no disruption to website availability. Early investigation findings suggested some data may have been accessed from those websites, prompting the Commission to notify potentially affected EU entities. However, the Commission stated that its internal systems were not affected, which limited the overall impact of the attack.

The Breach Claims

ShinyHunters posted their claims on their dark web site, listing the European Commission among their victims. According to the posting, the compromised material consists of mail server dumps, database exports, internal documents, contracts, and other sensitive material from systems linked to the European Commission's *.europa.eu domain. The attackers claimed the files were obtained through a system compromise but provided no technical details to support their claims. The sheer volume of data makes independent verification difficult at this stage, as downloading and analyzing the full 350GB dataset has not yet been completed.

Attribution and Access Methods

Reporting suggests the hackers accessed the European Commission's Amazon Web Services accounts. However, an AWS spokesperson has stated that no security incident occurred within its cloud environment and that services functioned as expected. This discrepancy between the breach claims and AWS's denial leaves questions about the actual attack vector and whether the compromise was limited to misconfigured cloud settings rather than a flaw in AWS infrastructure itself.

About ShinyHunters

ShinyHunters is a well-established cybercriminal group known for targeting major organizations and selling or releasing stolen data online. The group has been linked to breaches involving Salesforce partners and other high-profile platforms, typically focusing on databases, customer records, and internal systems. Their operational approach usually involves gaining access to cloud services or poorly secured environments, then extracting large amounts of data for publication or sale. Recent victims include Odido, Figure, Canada Goose, and SoundCloud. The group primarily uses social engineering techniques, particularly voice phishing, to steal credentials and gain access to SaaS platforms like Salesforce, Okta, and Microsoft 365.

Potential Impact and Sensitive Data Concerns

If the breach is confirmed, the exposure could involve internal communications and administrative records, which present operational risks comparable to personal data breaches. EU institutions handle sensitive categories of data including biometric information such as facial recognition data used for access control and identity verification. It remains unclear whether any biometric or identity-related data is included in the alleged leak, though this question will likely be central to the ongoing investigation. The strict legal frameworks governing such data collection under EU law make any unauthorized access particularly serious.

Investigation Status

The European Commission's services are continuing their investigation to determine the full impact of the incident. The Commission is strengthening protections and analyzing the incident to improve cybersecurity measures. The organization faces ongoing cyber and hybrid threats targeting critical services and institutions across the EU. This breach follows another incident on January 30 when attackers targeted the Commission's mobile device management system, though no mobile devices were compromised in that attack.

Sources

• https://hackread.com/shinyhunters-350gb-data-breach-european-commission/

• https://securityaffairs.com/190095/data-breach/shinyhunters-claims-the-hack-of-the-european-commission.html

• https://www.bleepingcomputer.com/news/security/european-commission-investigating-breach-after-amazon-cloud-account-hack/

• https://www.facebook.com/slashdot/posts/the-european-commission-is-investigating-a-breach-after-a-threat-actor-allegedly/1254435316879548/