The European Commission has confirmed that hackers breached its Amazon Web Services cloud infrastructure and stole data from the EU's flagship public web platform, in what security researchers are calling one of the most consequential attacks on a European institution in recent memory.
The Commission said the attack targeted the Europa.eu web portal, the Union's central online platform hosting websites and services for its institutions, and confirmed that "data have been taken from those websites". It added that its internal systems were not affected and that public-facing websites remained online throughout the incident. The Commission detected the attack on 24 March, applied mitigation measures and said no disruption to website availability had occurred.
The cybercrime group ShinyHunters has claimed responsibility. The group claims to have stolen more than 350 gigabytes of data before its access was blocked, including multiple databases, and has added an entry for the European Commission to its dark web leak site, claiming the theft of "data dumps of mail servers, databases, confidential documents, contracts, and much more sensitive material. " It has released an archive of more than 90 gigabytes of files purportedly taken from the compromised environment.
Commission spokesman Thomas Regnier, speaking to reporters on Monday, confirmed that parts of the Europa platform are hosted on cloud infrastructure provided by Amazon but sought to minimise the significance of the breach. Amazon Web Services said that it "did not experience a security event" and that its services "operated as designed" — a statement indicating that the attackers most likely exploited a compromised account or a security misconfiguration rather than a vulnerability in AWS's own products.
ShinyHunters emerged around 2020 and has built a reputation for high-profile operations targeting major corporations, including Ticketmaster, Santander and AT&T. The group is primarily financially motivated, typically operating a "double extortion" model: stealing data, demanding a ransom to prevent its release, and then publishing the data on dark web forums if the target refuses to pay. The group primarily uses social engineering — especially voice phishing — to steal credentials and access software-as-a-service platforms such as Salesforce, Okta and Microsoft 365.
Members of the group were previously accused of launching hacking campaigns against various industries before a spate of arrests slowed them down. The Commission has not formally attributed the attack to ShinyHunters; the link comes from the group's own dark web claims and independent security researchers.
Scope and risks
The Europa.eu platform hosts the websites of the Commission itself, along with the European Parliament, the European Council and other EU institutions, meaning the platform-wide character of the incident raises concerns about potential exposure across multiple bodies. Security researchers at Cybernews warned that possession of DKIM cryptographic keys — reportedly among the stolen material — could allow the group to forge emails that pass authentication checks from EU Commission domains, making it ideal for targeted spear-phishing of EU member states. The Commission has not confirmed that specific claim.
This incident follows a separate breach disclosed in February 2026, in which attackers targeted the Commission's mobile device infrastructure. In that case, limited staff contact data — including names and phone numbers — may have been accessed, but the breach was reportedly contained quickly and no mobile devices were compromised.
The Commission said it would "analyse the incident and use the results to further enhance its cybersecurity capabilities" and pointed to what it described as "persistent cyber and hybrid attacks targeting essential services and democratic institutions" across Europe.
