ShinyHunters Breach European Commission AWS Account, Stealing 350 GB of Data

The European Commission confirmed Friday that the ShinyHunters extortion group had infiltrated at least one of its Amazon Web Services accounts, exfiltrating more than 350 gigabytes of data from infrastructure tied to the Europa.eu platform, a haul that security researchers say may be sensitive enough to affect diplomatic negotiations, regulatory positions, and procurement decisions across the bloc.

The intrusion followed a multi-stage playbook that began with voice phishing, or vishing, to extract single sign-on credentials and multi-factor authentication codes from Commission staff. From that initial foothold, attackers escalated privileges, moved laterally across cloud repositories, and established persistent command-and-control channels before beginning exfiltration. ShinyHunters subsequently posted more than 90 gigabytes of purported Commission files on its Tor-based dark web leak site, describing the stolen material as "data dumps of mail servers, databases, confidential documents, contracts, and much more sensitive material."

Researchers who examined the released files identified an inventory that goes well beyond generic administrative records. The compromise appears to include full SSO user directories, DKIM signing keys, AWS configuration snapshots, internal admin URLs, employee personally identifiable information, and data extracted from both the NextCloud collaboration platform and Athena, the EU's military financing mechanism. Exposure of DKIM signing keys creates conditions for near-undetectable email spoofing across Commission domains. The inclusion of Athena data, even partially, introduces risk into a system that funds defense-related activities across member states.

"Early findings of our ongoing investigation suggest that data have been taken from those websites," the Commission said in a statement issued Friday. "The Commission is duly notifying the Union entities who might have been affected by the incident." Officials added that the Commission's internal systems were not affected and that no Europa websites experienced service disruption, two containment points that distinguish this incident from more operationally destructive government breaches. The relatively swift public acknowledgment represents a departure from the opacity that has characterized past public-sector responses to cloud intrusions, though the Commission's statement disclosed no specifics about how the AWS accounts were initially identified as compromised or how long attackers maintained access before detection.

The breach is a direct stress test of the EU's outsourced cloud model. Like most large public administrations, the Commission runs significant web-facing infrastructure through commercial providers under shared-responsibility frameworks in which identity management, access controls, and security configurations remain the tenant's obligation. Researchers characterized this attack as a convergence of social engineering and cloud misconfiguration, a pairing that compliance frameworks governing EU data handling have been slow to address with cloud-specific, prescriptive controls rather than principle-based guidance.

ShinyHunters, which first appeared in 2020, has previously targeted SSO credentials and Salesforce data at organizations including Google, Chanel, Canada Goose, and Panera Bread. The Commission operation represents the group's most geopolitically consequential action to date; the materials it now controls could expose negotiating positions in pending trade or regulatory talks and complicate procurement decisions involving EU defense or technology programs.

Under EU law, if the breach is determined to pose a high risk to individuals, the Commission faces a legal obligation to notify those individuals without undue delay. Immediate remediation will require revoking compromised credentials, auditing cloud IAM policies, and conducting forensic analysis across the full scope of the affected environment. Security experts are pressing Brussels to translate those operational steps into binding EU-wide standards on cloud hygiene and privileged account protections, not aspirational benchmarks but enforceable minimums for institutions holding materials of this sensitivity. The Commission is simultaneously crafting AI and cybersecurity regulations it intends to export as global standards; managing that ambition alongside an unresolved data theft from its own cloud infrastructure is a credibility test with no clean resolution in sight.