ShinyHunters Breached the European Commission's AWS Account. 350 GB of Contracts, Emails, and Internal Documents Are Gone.
On March 24, 2026, attackers gained access to the European Commission's Amazon Web Services account hosting its Europa.eu infrastructure. The notorious ShinyHunters group claims 350 GB stolen, including mail server dumps, database exports, contracts, and internal documents. The Commission confirmed the attack three days later.
VaultTools · March 30, 2026
Photo by Towfiqu barbhuiya on Unsplash
Table of Contents
- What happened
- What was stolen
- How the attack worked
- The GDPR irony
- What this means for cloud-stored files
- Sources
What Happened
On March 24, 2026, the European Commission detected a cyberattack on its cloud infrastructure. Three days later, on March 27, the Commission confirmed the incident publicly. The attack targeted the AWS account hosting the Commission’s web presence on the Europa.eu platform.
The threat actor is ShinyHunters, a well-documented group responsible for prior large-scale breaches including Ticketmaster (560 million records), Santander Bank, and AT&T. The group posted its claim on a dark web forum on March 26, with a post timestamped 2026-03-26 11:10:00. ShinyHunters provided BleepingComputer with screenshots of stolen documents as proof of access.
The Commission’s statement said: “On 24 March, the European Commission discovered a cyber-attack, which affected its cloud infrastructure hosting the Commission’s web presence on the Europa.eu platform. The Commission took immediate steps and contained the attack, with risk mitigation measures also implemented.”
What Was Stolen
ShinyHunters claims the stolen dataset totals 350 GB and includes:
- Mail server dumps
- Database exports
- Internal documents
- Contracts
- Employee data
The group stated it is not seeking a ransom and plans to publish the data instead. As of March 30, 2026, no public release has occurred and the investigation is ongoing.
The Commission clarified that its internal systems were not affected. The breach was limited to the cloud infrastructure used to host public-facing Europa.eu websites. AWS denied any security failure on its side.
How the Attack Worked
According to reporting by Cybernews and CSO Online, the attackers used social engineering to obtain credentials for the Commission’s AWS account. No software vulnerability in AWS itself was exploited. The attack relied on credential compromise at the account level, the same technique used in the majority of high-profile cloud breaches.
This is consistent with the pattern identified in Keep Aware’s 2026 State of Browser Security Report, published three weeks earlier, which found that 46% of sensitive credentials submitted in enterprise environments go through personal or unverified accounts with no additional controls.
The GDPR Irony
The European Commission is the institution that drafted, enacted, and enforces the General Data Protection Regulation. It is the body that levied the fines that pushed GDPR cumulative penalties past €7.1 billion. Its own cloud-hosted documents are now in the possession of a group that has previously monetized stolen data on criminal markets.
The breach does not represent a GDPR violation by the Commission against a data subject in the regulatory sense, but the institutional dimension is significant. The organization with the highest formal authority over data protection in the world could not keep its own cloud-stored files out of the hands of a known threat actor.
What This Means for Cloud-Stored Files
The attack used no zero-day vulnerability. It used no sophisticated malware. It used compromised credentials against a cloud account. That is the normal threat model for any organization that stores documents on third-party cloud infrastructure.
Files that never reach a server cannot be taken from one. Processing documents, contracts, PDFs, and images locally in the browser, without uploading them to an external service, removes the server-side target entirely. There is no cloud account to compromise, no storage bucket to exfiltrate, and no mail dump to sell. The file stays on the device that created it.
Sources
- European Commission confirms cyberattack after hackers claim data breach (TechCrunch, March 27, 2026)
- European Commission’s Data Stolen in Hack on AWS Account (Bloomberg, March 27, 2026)
- Hackers steal data from European Commission in AWS cloud breach (Cybernews)
- ShinyHunters Claims 350GB Data Breach at European Commission (HackRead)
- ShinyHunters claims the hack of the European Commission (Security Affairs)
- European Commission data stolen in a cyberattack on the infrastructure hosting its web sites (CSO Online)