Hackers claiming to be from the ShinyHunters group say they have breached systems linked to the European Commission and released more than 350 GB of data. The claim appeared on the group’s dark web site earlier today, where they also post material linked to earlier incidents involving enterprise platforms.
According to the listing reviewed by Hackread.com, the data is described as a mix of mail server dumps, database exports, internal documents, and contracts. The attackers say the files were obtained through a system compromise, though no technical details have been shared so far to support that claim.
“European Commission (*
ShinyHunters.europa.eu) Over 350 GB+ of data was compromised, including data dumps of mail servers, databases, confidential documents, contracts, and much more sensitive material.”
At this stage, there is no independent verification of the data. The European Commission has acknowledged the reports and said it is investigating. Given the size of the alleged leak, downloading and analysing the full data has not yet been possible, which makes it difficult to confirm both authenticity and impact.
If confirmed, the exposure could involve internal communications and administrative records, which are often as sensitive as personal data in terms of operational risk.
About ShinyHunters
ShinyHunters is a well-known hacking group with a track record of targeting major organisations and selling or releasing stolen data online. The group has been linked to breaches involving companies such as Salesforce partners and other high-profile platforms, often focusing on databases, customer records, and internal systems. Their approach usually involves gaining access to cloud services or poorly secured environments, then extracting large amounts of data for publication or sale.
In the European Commission’s case, reports suggest the hackers accessed its Amazon cloud environment through the Commission’s Amazon Web Services (AWS) accounts. However, an AWS spokesperson has denied any security incident within its cloud environment.
European Commission and Sensitive Data
It is also worth noting that EU institutions, including the European Commission, do handle sensitive categories of data. This can include biometric information such as facial recognition data, typically used for access control or identity verification within secure systems.
These activities are governed by strict legal frameworks under EU law, with clear limits on how such data is collected and used. However, it remains unclear whether any biometric or identity-related data is part of the alleged leak, and that question will likely be central to ongoing investigations.
Incidents like this show why both public and private sectors, even organisations with strong regulatory oversight and established security practices, can face risks from configuration errors, access control issues, security vulnerabilities, or third-party dependencies.
Nevertheless, this article will be updated based on the European Commission’s outcome of the ongoing investigations. Stay tuned.
