ShinyHunters Claims 350GB Data Theft From the European Commission's Cloud Systems

European Commission building at night with cyberattack glitch effects

The European Commission just got hit with one of the biggest cyberattacks in its history — and the hackers are bragging about it. ShinyHunters, a notorious cybercrime group, claims to have stolen over 350 gigabytes of data from the Commission's cloud infrastructure, including mail server dumps, databases, and confidential documents.

The Commission confirmed the attack was detected on March 24 and targeted the cloud infrastructure hosting its Europa.eu websites. But in a move that will surprise no one who follows institutional cybersecurity, they insist their "internal systems were not affected."

What Was Stolen?

According to ShinyHunters' listing on their Tor-based leak site, the stolen data potentially includes:

Mail server dumps — internal communications between Commission officials

Databases — structured data from Europa.eu systems

Confidential documents and contracts — the kind of material that could be extremely sensitive given the EU's role in regulating everything from AI policy to trade negotiations

AWS, which hosts the targeted cloud infrastructure, stated that its services "functioned as expected" and denied any security incident on its end — suggesting the breach came through compromised credentials rather than an infrastructure vulnerability.

ShinyHunters: A Track Record of High-Profile Hits

This isn't ShinyHunters' first rodeo. The group has been on a tear in 2026, targeting major organizations including Odido (6.2 million customers impacted), SoundCloud, Canada Goose, and fintech firm Figure. Their primary attack vector? Social engineering — particularly voice phishing (vishing) to steal credentials for SaaS platforms like Salesforce, Okta, and Microsoft 365.

The group follows a familiar playbook: breach, exfiltrate, demand ransom, and leak the data when payment doesn't come.

The EU's Growing Cybersecurity Problem

This is the European Commission's second confirmed cyberattack in 2026. In January, attackers breached its mobile device management system, potentially accessing staff names and phone numbers. That incident was contained within nine hours, but the pattern is concerning.

The Commission said it will "continue monitoring the situation while strengthening protections" and will analyze the incident to improve its cybersecurity posture. The EU faces "ongoing cyber and hybrid threats targeting critical services and institutions," the Commission acknowledged.

The Bottom Line

350 gigabytes of potentially sensitive EU Commission data in the hands of cybercriminals is a serious incident, regardless of the Commission's reassurances about "internal systems." When your mail servers, databases, and confidential contracts are compromised, the "internal systems are fine" talking point rings hollow. The real question isn't whether the data was stolen — it's what ShinyHunters plans to do with it, and whether the EU will treat this as the wake-up call it clearly is.