European Commission Confirms AWS Cloud Breach — ShinyHunters Steal 350GB of EU Data (March 2026)
The European Commission has confirmed that ShinyHunters compromised its Amazon Web Services account on March 24, 2026, exfiltrating 350GB of sensitive EU data including internal communications, database snapshots, and confidential policy documents. AWS clarified the breach stemmed from compromised credentials, not any flaw in Amazon's infrastructure.
The European Commission confirmed on that the ShinyHunters threat group had successfully breached its Amazon Web Services cloud account, exfiltrating an estimated 350GB of sensitive European Union institutional data. The incident — which began on — represents one of the most significant cyberattacks against an EU institution in recent memory, and a stark warning about credential-based cloud security risks at the highest levels of government.
What Happened
The ShinyHunters hacking group — previously responsible for high-profile breaches targeting AT&T, Ticketmaster, and Santander Bank — gained access to the European Commission's AWS account through compromised account credentials rather than any flaw in Amazon's own infrastructure. Once inside, the attackers moved through the Commission's cloud environment before being detected and blocked. The attack struck the Commission's Amazon Web Services account hosting the Europa.eu platform, the institution's primary public-facing web infrastructure.
Amazon Web Services clarified that "AWS did not experience a security event, and our services operated as designed" — placing responsibility squarely on credential management practices. The European Commission confirmed the attack publicly, stating: "Internal systems were not affected by the cyber-attack."
Key Details
- 350GB of data exfiltrated — the stolen cache reportedly includes mail server dumps, internal communication logs, database snapshots, confidential contracts, and sensitive policy documents
- ShinyHunters claimed responsibility — by late March 2026, the group had begun leaking approximately 90GB of the stolen data on their Tor-based leak site
- Attack vector: compromised credentials — AWS confirmed its infrastructure was not breached; attackers used stolen AWS account credentials to gain entry
- Attack date: March 24, 2026 — the intrusion began March 24, was detected and contained, and confirmed publicly on March 27
- Europa.eu platform targeted — the breach hit cloud infrastructure hosting the Commission's main public-facing web environment
- No internal systems affected — the Commission stressed that core internal systems remained secure and were not compromised
What Developers and Users Are Saying
The Hacker News thread on the breach drew immediate reaction from the security community. The top-voted comment noted that "this is exactly the credential hygiene failure scenario that cloud security frameworks have been warning about for years — IAM permissions, MFA enforcement, and secrets rotation all matter." Security researchers on Twitter/X pointed out that ShinyHunters has now hit some of the world's most prominent organizations in rapid succession, suggesting the group has industrialized credential acquisition and account takeover at scale. EU government technology advocates raised the breach in the context of Europe's ongoing cloud sovereignty debate — several commenters argued the incident validates the push for European-hosted alternatives to US hyperscaler infrastructure.
What This Means for Developers
This breach underlines several concrete security practices every AWS user should audit immediately. Enforce Multi-Factor Authentication (MFA) on all IAM users and root accounts with no exceptions. Rotate access keys on a strict schedule — 90 days maximum, ideally shorter. Use IAM roles with least-privilege permissions rather than long-lived access keys wherever possible. Enable AWS CloudTrail and GuardDuty to detect anomalous access patterns in real time. Consider AWS Organizations Service Control Policies (SCPs) to limit what actions can be taken even with valid credentials. The Commission's breach is a case study in what happens when credential hygiene is treated as a compliance checkbox rather than an operational discipline — even at an institution with the mandate and resources to do better.
What's Next
The European Commission has not disclosed its full incident response timeline. ShinyHunters' ongoing leak of the 350GB dataset means the situation remains active — additional sensitive documents may be published at any time. EU data protection regulators, including relevant national Data Protection Authorities (DPAs), are expected to investigate whether the breach triggers GDPR notification obligations. The incident is likely to accelerate EU institutional discussions about cloud sovereignty and the viability of deploying EU-hosted alternatives to US hyperscaler services. Watch for official statements from the European Data Protection Supervisor (EDPS) in the coming weeks.
Sources
- TechCrunch — European Commission confirms cyberattack after hackers claim data breach
- CyberNews — Hackers steal data from European Commission in AWS cloud breach
- Bloomberg — European Commission's data stolen in hack on AWS account
- CyberPress — European Commission confirms AWS cloud breach investigation
- TwelveSec — In-depth analysis: the ShinyHunters breach of the European Commission
- Computing.co.uk — European Commission investigating alleged breach of Amazon systems
Stay up to date with Doolpa
Subscribe to Newsletter →