The European Commission confirmed on Friday that its public-facing web infrastructure was hit by a cyberattack discovered on March 24 — and now a threat actor is posting what appears to be a ShinyHunters-affiliated dark web listing claiming 350 GB of stolen data, with a published SHA256 checksum and a download button. No ransom. Just a leak.
The attack struck the Commission's Amazon Web Services account that hosts its Europa.eu platform — the public hub for EU institutional information — before being detected and blocked. Critically, the Commission's core internal IT systems and administrative networks were not touched.
But "not worse" isn't the same as "fine." The dark web listing, updated today (March 28), claims the haul includes mail server dumps, internal databases, confidential documents, and contracts. The attacker confirmed to BleepingComputer — which first broke the story — that they plan to publish the stolen data rather than pursue extortion, and shared screenshots as proof of access.
Amazon, for its part, said its AWS infrastructure was not compromised and that its services operated as designed — meaning the entry point was almost certainly a misconfigured or compromised AWS account credential, not a flaw in Amazon's platform.
ShinyHunters, the group behind the listing, has been on an aggressive run through 2026. Google's Threat Intelligence Group has been tracking the group's expansion under multiple threat clusters, noting their use of voice phishing (vishing) and credential harvesting to compromise cloud SaaS environments — a pattern consistent with how an AWS account takeover would play out.
Security experts warn the attackers are likely either hacktivists or cyber mercenaries hired by a nation-state, and that politically motivated attacks of this kind are set to surge through 2026. The timing is notable: the Commission rolled out a new Cybersecurity Package in January 2026 to bolster EU defences, yet this is already the second breach of the year — a January attack on its mobile device management infrastructure also exposed staff contact data.
Stakeholders should stay alert for phishing attempts referencing this incident — watch for unsolicited emails requesting credentials, unusual attachments, or links that don't resolve to official EU domains. Navigate directly to europa.eu rather than clicking through emails.
The Commission says its investigation is ongoing and that affected EU entities are being notified. Whether the 350 GB leak materialises — and what's actually in it — will define the real severity of this breach.