European Commission: ShinyHunters Claim 350GB AWS Cloud Breach Second Hack in Under Two Months

• .What: Attackers compromised the European Commission's AWS account hosting Europa.eu and claimed exfiltration of 350+ GB of data including mail server dumps, databases, documents, and contracts.
• .Who: European Commission (~32,000 staff, 27 EU member states, headquarters in Brussels). Europa.eu is the primary public web platform for all EU institutions.
• .How: Compromised AWS account credentials or IAM misconfiguration (assessed - not confirmed). AWS explicitly stated its infrastructure was not compromised.
• .Data: Claimed by threat actor: mail server content, database exports, confidential documents, contracts. Screenshots provided to BleepingComputer showed access to employee information and an internal email server. Specific data types not confirmed by the Commission.
• .Actor: ShinyHunters (claimed March 28). Tracked by Google Threat Intelligence as UNC6040/UNC6240/UNC6395. Attribution confidence: MODERATE - claim is on ShinyHunters' own infrastructure and consistent with their operations, but no independent security firm has verified attribution.
• .Impact: Investigation ongoing. No data leaked publicly as of March 29. Second breach in under two months. EDPS notification obligations under Regulation 2018/1725 triggered. Institutional credibility of GDPR's primary enforcer directly undermined.

On January 20, 2026, the European Commission unveiled a comprehensive Cybersecurity Package proposing strengthened EU-wide defenses against growing cyber and hybrid threats.

Ten days later, on January 30, CERT-EU detected an attack on the Commission's own central Mobile Device Management infrastructure.

Attackers exploited two critical zero-day vulnerabilities in Ivanti's Endpoint Manager Mobile - CVE-2026-1281 and CVE-2026-1340 (both CVSS 9.8, CWE-94, enabling unauthenticated remote code execution) - to penetrate the MDM backend.

Staff names and mobile phone numbers were confirmed exposed. CERT-EU contained the intrusion and cleaned the system within nine hours. No mobile devices were compromised.

The same vulnerabilities were simultaneously exploited against the Dutch Data Protection Authority, the Dutch Council for the Judiciary, and Finland's government ICT provider Valtori (exposing up to 50,000 Finnish government employees' work details).

CISA added both CVEs to its Known Exploited Vulnerabilities catalog with an unusually aggressive 3-day remediation deadline. The Commission publicly disclosed the MDM breach on February 6.

Fifty-three days later, on March 24, the Commission's cybersecurity incident response team detected a second, unrelated attack - this time targeting the external cloud infrastructure hosting the Europa.eu web platform.

The attackers had compromised at least one of the Commission's Amazon Web Services accounts.

The Commission drew a firm line between the affected external cloud infrastructure and its internal IT systems. "The Commission's internal systems were not affected by the cyber-attack," Regnier stated.

Europa.eu remained available throughout the incident with no reported service disruption, suggesting the Commission's incident response team isolated the compromised AWS resources without taking the public-facing platform offline.

" This statement is significant. It confirms the breach was not an AWS platform compromise but rather a failure within the Commission's own cloud account - its IAM configuration, its access credentials, its security controls.

Under the AWS shared responsibility model, AWS secures the infrastructure; the customer secures what runs on it. The Commission's cloud security was the customer's responsibility, and it failed.

BleepingComputer was the first outlet to report the breach on March 27, disclosing that a threat actor had contacted the publication "earlier this week" to claim responsibility.

The actor stated they had stolen over 350 GB of data including multiple databases and provided screenshots as proof of access to employee information and an internal employee email server.

The actor stated they would not attempt extortion but instead planned to leak the data online at a later date.

IBTimes SG reported the attacker "made direct calls to journalists" to provide evidence of access - a tactic consistent with ShinyHunters' documented media engagement strategy.

On March 28, the ShinyHunters extortion group formally posted the European Commission on its Tor data leak site (initial listing timestamped March 26 per RedPacket Security automated monitoring, updated March 28).

" Hackread confirmed the listing appeared on ShinyHunters' DLS with a SHA256 checksum provided for the data archive. As of March 29, no download links have been published and no data samples have been released beyond the screenshots provided to BleepingComputer.

ShinyHunters claimed responsibility for the European Commission breach on March 28, 2026. ZERO|TOLERANCE assesses this attribution at MODERATE confidence.

The claim appeared on ShinyHunters' own Tor infrastructure, and the group has a documented pattern of accurately claiming breaches it has conducted. No independent security firm - Mandiant, CrowdStrike, or other - has publicly verified the attribution as of March 29.

ShinyHunters is tracked by Google Threat Intelligence under three designations reflecting its operational structure: UNC6040 (initial access and social engineering), UNC6240 (extortion operations), and UNC6395 (vishing and credential harvesting).

In August 2025, the group merged with Scattered Spider and LAPSUS$ operators to form the Scattered LAPSUS$ Hunters (SLH) collective - assessed by LevelBlue as a federated identity where several players collaborate and share infrastructure while retaining operational autonomy.

The collective operates through 16+ Telegram channels and runs an extortion-as-a-service model.

ShinyHunters' operational tempo in 2025-2026 has been extraordinary. The Salesloft Drift supply chain breach (August 2025) gave the group OAuth tokens for 760+ Salesforce organizations. The Snowflake campaign (2024) compromised Ticketmaster, Santander, and others.

The January 2026 SSO vishing campaign hit Harvard, UPenn, Panera Bread, SoundCloud, and 15+ other organizations.

ZERO|TOLERANCE has documented three ShinyHunters operations in prior articles: TELUS Digital (estimated 700TB-1PB stolen via GCP credential chaining, $65M ransom demanded), Odido (6.2 million Dutch telecom customers via Salesforce vishing), and Figure Technology (967,200 financial accounts via Okta SSO vishing).

The European Commission, if confirmed, would represent ShinyHunters' highest-profile governmental target to date and a significant escalation from corporate victims to EU institutional infrastructure.

The decision not to extort the Commission is notable. Unlike the TELUS Digital breach ($65M demand) and Figure Technology breach (ransom demanded and refused), the threat actor explicitly stated plans to leak rather than monetize.

This departure from ShinyHunters' established extortion model may signal ideological motivation, reputational strategy (the prestige of breaching the EU's executive body), or a calculated assessment that an EU institution would never pay a ransom.

On March 26, 2026 - two days before posting the Commission claim - ShinyHunters publicly acknowledged for the first time that it had operated BreachForums, the largest English-language cybercrime forum, from June 2023 until the FBI seized the domain in October 2025. The group threatened to release complete BreachForums backups including private messages, IP addresses, and user data if fake forums continued operating under the brand.

This simultaneous claim of a major EU institutional breach and public acknowledgment of forum operations suggests ShinyHunters is consolidating its position as a dominant threat actor willing to operate with increasing visibility.

The following data types are claimed by ShinyHunters in the dark web listing and in communications with BleepingComputer. None have been independently verified. The Commission's own statement confirms only that "data have been taken from those websites" without specifying types.

• .Mail server dumps - Complete or partial exports from at least one email server used by Commission employees. If authentic, this could include internal policy deliberations, diplomatic communications, legislative drafts, personnel discussions, and confidential correspondence between Commission directorates-general. Email metadata alone (sender, recipient, subject lines, timestamps) would reveal the Commission's internal communication patterns and organizational relationships.

• .Database exports - Unspecified databases from the Europa.eu platform infrastructure. Europa.eu serves as the public web presence for EU institutions and hosts content spanning legislation, consultations, procurement, grants, and institutional communications. Backend databases could contain registered user accounts, consultation submissions, procurement records, and content management system data.

• .Confidential documents - The threat actor's listing describes "confidential documents" without elaboration. The classification is the actor's characterization, not an independent assessment of the documents' sensitivity level.

• .Contracts - Administrative and operational agreements. Government contracts may contain vendor information, pricing, technical specifications, and terms that could be commercially sensitive or provide intelligence value.

• .Employee information - Screenshots provided to BleepingComputer showed access to information belonging to European Commission employees. The specific data fields visible in the screenshots have not been publicly described in detail.

• .Email server access - The threat actor claimed to retain access to at least one email server used by Commission employees at the time of contact with BleepingComputer. The Commission stated the attack was "contained." These claims are contradictory. If the threat actor maintained persistent email access after the Commission's incident response, the exposure scope would be significantly larger than the initial 350 GB exfiltration claim.

The exact attack vector has not been confirmed by the European Commission or published in any forensic report. The following analysis is based on AWS's public denial, the Commission's statements, and security expert assessments reported across multiple outlets.

Specific technical findings may change as the investigation progresses.

1. AWS account compromise via the identity and access management layer. " AWS's explicit statement that "AWS did not experience a security event" confirms the compromise was account-level, not platform-level.

Under the AWS shared responsibility model, identity management, access controls, credential security, and data protection are entirely the customer's responsibility. The Commission's own IAM configuration, credential hygiene, or access policies failed.

2. Credential compromise - method unknown. The initial access method remains the single largest intelligence gap.

ShinyHunters' documented TTPs provide several plausible vectors: voice phishing (vishing) targeting an employee with AWS console or programmatic access, credential harvesting from a third-party breach (the same technique used in the TELUS Digital attack), a leaked or stolen API key or access key pair, or exploitation of an overly permissive IAM role.

The vishing hypothesis is consistent with ShinyHunters' 2025-2026 operational playbook - the group compromised Figure Technology, Panera Bread, SoundCloud, Harvard, and 15+ other organizations through Okta SSO vishing campaigns in the same timeframe.

3. Insufficient network segmentation between external and internal environments. " This suggests some segmentation exists between the Europa.eu cloud infrastructure and the Commission's core administrative networks.

However, the fact that an email server used by Commission employees was accessible from the same AWS environment hosting the public web platform indicates the segmentation was not comprehensive.

Email infrastructure and public web hosting should not share an AWS account or exist within the same security boundary.

4. Exfiltration of 350+ GB without automated prevention. If the claimed volume is accurate, the transfer of 350 GB from a government cloud environment should have triggered automated data loss prevention controls.

At a sustained 100 Mbps transfer rate, 350 GB would take approximately 8 hours. At 1 Gbps, approximately 47 minutes. Either the Commission lacked DLP and egress monitoring on its AWS account, or the controls were not configured to alert on or block anomalous outbound data volume.

5. Two separate infrastructure compromises in under two months. The January MDM breach exploited Ivanti zero-day vulnerabilities. The March AWS breach appears to involve credential or IAM compromise. The attack vectors are distinct. The infrastructure types are different.

But the pattern reveals a common root cause: the Commission's security posture across its external-facing infrastructure - MDM, cloud, and web hosting - was insufficient to prevent compromise by two different threat actors using two different techniques within two months.

CVE IDs (First Breach - MDM/Ivanti):

• .CVE-2026-1281 - CVSS 9.8, Ivanti EPMM zero-day
• .CVE-2026-1340 - CVSS 9.8, Ivanti EPMM zero-day

Threat Actor:

• .ShinyHunters / UNC6040 / UNC6240 / UNC6395
• .Part of Scattered LAPSUS$ Hunters (SLH) collective

Data Leak:

• .ShinyHunters Tor DLS posting March 26, 2026
• .350+ GB claimed exfiltration

Related Breaches (Same Ivanti Campaign):

• .Dutch Data Protection Authority
• .Dutch Council for the Judiciary
• .Finnish government ICT provider Valtori

Regulatory References:

• .Regulation (EU) 2018/1725, Article 34
• .EU Cybersecurity Regulation 2023/2841
• .CERT-EU Cyber Brief 26-03

The European Commission's breach notification obligations are governed by Regulation (EU) 2018/1725 - not GDPR. This distinction is critical and widely misunderstood.

GDPR (Regulation 2016/679) applies to EU member state organizations, companies, and data controllers processing personal data. It does not apply to EU institutions and bodies themselves.

EU institutions are instead governed by Regulation 2018/1725 - a parallel framework adopted on October 23, 2018 that mirrors GDPR's core principles but establishes a separate supervisory and enforcement structure.

• .Regulation (EU) 2018/1725, Article 34 (Notification to EDPS) - The European Commission, as a data controller, must notify the European Data Protection Supervisor (EDPS) of a personal data breach "without undue delay and, where feasible, not later than 72 hours after having become aware of it," unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. The Commission became aware of the breach on March 24. The 72-hour deadline fell on March 27 - the same day the breach was publicly reported by BleepingComputer. Whether the EDPS was formally notified by this deadline has not been publicly confirmed.

• .Regulation (EU) 2018/1725, Article 35 (Communication to data subjects) - If the breach is "likely to result in a high risk to the rights and freedoms of natural persons," the Commission must inform affected individuals "without undue delay." The Commission stated it has begun notifying "potentially affected EU entities" but has not disclosed whether individual staff members whose data appeared in the threat actor's screenshots have been directly notified.

• .The 2018/1725 Enforcement Paradox - The EDPS supervises EU institutions' data protection compliance. But the EDPS is itself an EU institution. The Commission proposes the EDPS's budget. The Commission nominates EDPS candidates. This creates a structural dynamic where the regulator is institutionally dependent on the entity it regulates. In practice, the EDPS has exercised enforcement against EU institutions - notably ordering the Commission to bring its use of Microsoft 365 into compliance in March 2024 and fining the Commission's own Conference and Events Management service in a precedent-setting case. But the enforcement toolkit available to the EDPS against EU institutions is narrower than what national DPAs can deploy against companies under GDPR. The EDPS can issue reprimands, order compliance, and impose administrative fines - but there is no published fine schedule equivalent to GDPR's "up to 4% of annual global turnover" formula, and the political dynamics of one EU institution fining another create friction that does not exist in DPA-vs-corporation enforcement.

• .GDPR Credibility Impact (Regulation 2016/679) - While GDPR does not technically apply to the Commission, the reputational damage to GDPR enforcement is significant. The Commission is the architect and guardian of GDPR. It initiated enforcement actions resulting in over EUR 4 billion in cumulative fines against companies including Meta (EUR 1.2 billion), Amazon (EUR 746 million), and WhatsApp (EUR 225 million). The Commission's own inability to prevent two breaches in under two months - one via an unpatched zero-day in its MDM vendor, the other via apparent cloud credential failure - undermines the credibility of its enforcement posture. Organizations facing GDPR enforcement actions will inevitably point to the Commission's own security failures. This is not a legal defense - GDPR applies to them regardless - but it is a political and reputational weapon.

• .EU Cybersecurity Regulation (2023/2841) - This regulation, which entered into force in January 2024, mandates cybersecurity risk management measures for all EU institutions, bodies, offices, and agencies. It designates CERT-EU as the central hub for cybersecurity coordination across EU institutions. The Commission is subject to its requirements, which include risk assessments, incident handling procedures, and information sharing obligations. Two successful compromises within two months raise questions about the Commission's compliance with its own cybersecurity regulation.

• .NIS2 Directive Alignment - While EU institutions are not formally classified as "essential entities" under NIS2 (Directive 2022/2555), the Commission's January 2026 Cybersecurity Package proposed strengthened cyber obligations for institutions and agencies. The irony is acute: the Commission was breached ten days after proposing stronger cybersecurity requirements for itself and other EU bodies.

The following gaps exist in the public record for this incident:

1. The exact method of initial AWS account compromise has not been confirmed by the Commission, AWS, or any forensic responder.

Whether the attacker obtained credentials via vishing, credential stuffing, API key exposure, third-party breach data, or IAM misconfiguration remains unknown. This is the single most important unanswered question.

2. The threat actor's claim of 350+ GB exfiltrated data has not been independently verified. No data samples have been publicly released beyond the screenshots provided to BleepingComputer.

The Commission has confirmed data was "taken from those websites" but has not confirmed the volume or specific data types.

3. " Only forensic analysis can resolve this contradiction. If access persists, the exposure scope extends well beyond the initial 350 GB claim.

4. Whether the EDPS has been formally notified under Article 34 of Regulation 2018/1725 within the 72-hour window (March 24-27) has not been publicly confirmed. Similarly, whether individual data subjects have been notified under Article 35 has not been disclosed.

5. Whether any operational connection exists between the January 30 MDM breach (Ivanti zero-days, suspected state-sponsored) and the March 24 AWS breach (ShinyHunters, cybercriminal) has not been investigated publicly.

The attack vectors and threat actor profiles appear entirely distinct, but the possibility that intelligence gathered during the MDM compromise facilitated the cloud breach has not been ruled out.

The European Commission is the regulatory body that has collected over EUR 4 billion in GDPR fines from companies that failed to protect personal data. It wrote the rules. It enforces the rules.

And in under two months, it was breached twice through two entirely different attack vectors targeting two separate infrastructure systems.

The MDM breach exploited Ivanti zero-day vulnerabilities that the Commission could not have patched before they were disclosed - a genuine zero-day scenario. The AWS breach is different. AWS explicitly stated its infrastructure was not compromised.

The failure was in the Commission's own cloud account - its credentials, its IAM policies, its access controls. This was not a sophisticated exploit of an unknown vulnerability.

This was a failure of basic cloud security hygiene in an environment hosting the public face of the European Union.

The first and most critical control is phishing-resistant authentication for all cloud administrative access. ShinyHunters' primary initial access technique across their 2025-2026 campaign is voice phishing targeting SSO and cloud credentials.

They breached Figure Technology through an Okta vishing call. They compromised 15+ organizations in January 2026 alone through the same technique.

If the Commission's AWS account was compromised via credential theft - and the available evidence points to credential or IAM failure - then FIDO2 hardware security keys for all AWS console and programmatic access would have stopped the attack at the door.

Google eliminated employee account takeovers entirely after mandating hardware keys. AWS supports FIDO2 for IAM users and root accounts.

There is no legitimate reason for an organization of the Commission's resources and profile to rely on passwords and SMS-based MFA for cloud infrastructure access.

The second control is AWS account isolation and organizational boundary enforcement. The fact that an employee email server was accessible from the same AWS environment hosting the public Europa.eu web platform indicates insufficient account-level segmentation.

AWS Organizations with Service Control Policies should enforce hard boundaries between accounts hosting public-facing web infrastructure and accounts hosting internal employee services.

Email infrastructure, employee directories, and internal collaboration tools should not exist in the same AWS account - or even the same AWS Organization - as a public website.

Each workload should have its own account with IAM policies scoped to that workload's specific requirements.

Third, the Commission must deploy cloud-native data loss prevention and egress monitoring with automated blocking. An exfiltration of 350 GB from a government AWS account should be impossible without triggering automated intervention.

AWS provides native tools for this: VPC Flow Logs for traffic analysis, GuardDuty for threat detection, Macie for sensitive data discovery, and CloudTrail for API activity monitoring.

These services must be configured with alert thresholds calibrated to the environment's normal baselines, and high-severity detections (anomalous data volume, API calls from unusual locations, new IAM principal access) must trigger automated response - session termination, account lockdown, and incident responder notification - not merely generate an alert for manual review.

Fourth, the Commission should implement a unified cloud security posture management platform that provides continuous visibility across all AWS accounts, all IAM principals, all access patterns, and all data flows.

The two-breach pattern suggests the Commission may lack a consolidated view of its attack surface. MDM infrastructure, cloud accounts, email servers, and web hosting appear to be managed as separate domains without a unifying security architecture.

Cloud Security Posture Management tools (Wiz, Orca, Prisma Cloud, or AWS-native Security Hub with Config rules) provide the cross-account visibility needed to identify misconfigurations, excessive permissions, and exposed services before an attacker does.

Fifth, the Commission must establish a formal credential rotation protocol triggered by upstream third-party breaches.

The TELUS Digital attack demonstrated how ShinyHunters chain credentials from one breach to the next - GCP credentials found in Salesloft Drift breach data gave them access to TELUS systems for 5-7 months.

If any Commission staff member stored AWS credentials, API keys, or access tokens in a third-party SaaS platform that was subsequently breached, those credentials become the attacker's next stepping stone.

Every vendor breach disclosure should trigger an automated review and rotation of all credentials associated with that vendor's integration points.

BleepingComputer, TechCrunch, Bloomberg, SecurityAffairs, Hackread, Cybernews, CyberKendra, RedPacket Security, Engadget, IBTimes SG, CSO Online, CybersecurityNews, Computing.co.uk, BrightDefense, HelpNetSecurity, The Record, EDPS, EUR-Lex, CERT-EU Advisory (Cyber Brief 26-03), Rapid7, Ivanti Advisory, CISA KEV, GreyNoise, Google Cloud Blog (Mandiant), Obsidian Security, Wikipedia, Stibbe, Mayer Brown