Last Tuesday, the European Commission quietly discovered something had gone very wrong inside its cloud infrastructure. By Friday, they put out a press release. By the weekend, the hacking group ShinyHunters had already posted the evidence on the dark web — over 350GB of it.

This is one of those stories that sounds like a dry government IT incident until you actually look at what was taken.

The leaked data reportedly includes emails and attachments, a full SSO user directory, DKIM signing keys, AWS configuration snapshots, NextCloud and Athena data, and internal admin URLs. One security researcher on X summed it up bluntly: "DKIM keys and AWS config snapshots in the same breach is catastrophic." And when you think about what that actually means, it's hard to disagree.

Here's the problem with DKIM keys, specifically. With those keys, ShinyHunters can forge emails that appear to come from official EU Commission domains and pass authentication checks — making them nearly perfect for spear-phishing campaigns targeting EU member states. Combined with a full employee SSO directory, you have everything you need to run incredibly convincing targeted attacks against people who trust the Commission's email domains by default.

None

How did this happen?

The attack struck the Commission's Amazon Web Services account — the one that hosts its Europa.eu platform. AWS has stated it did not experience a security event and that its services "operated as designed," which is a careful way of saying the problem wasn't Amazon's. The entry point was almost certainly a compromised credential or a misconfigured account. No zero-day. No sophisticated exploit chain. Just someone getting into an account they shouldn't have had access to.

The Commission confirmed that its internal systems were not affected and its public websites remained online throughout the incident. That's the good news. But "internal systems untouched" doesn't mean the damage is limited. ShinyHunters has already released an archive of over 90GB of files, with claims of 350GB total stolen from the compromised cloud environment.

None

Who is ShinyHunters?

If you've been following cybersecurity news for the past couple of years, this group isn't new. In recent months alone, they've claimed breaches at Infinite Campus, CarGurus, Canada Goose, Panera Bread, Betterment, SoundCloud, and Match Group — which owns Tinder, Hinge, and OkCupid. Many of those were pulled off through a large-scale voice phishing campaign, targeting SSO accounts at Okta, Microsoft, and Google across more than 100 organizations. The pattern is consistent: they find the credential, they get in, they take everything, and they post it.

Security experts warn the attackers are likely either hacktivists or cyber mercenaries hired by a nation-state, and that politically motivated attacks of this kind are set to surge through 2026.

The politics underneath this

There's a layer here that makes this more than just another data breach. The European Commission has been one of the loudest voices in the world when it comes to cybersecurity regulation — pushing the EU Cybersecurity Act, NIS2, and a new Cybersecurity Package launched just in January 2026. Researchers noted that this incident can be used to frame the Commission as an incompetent and insecure institution, especially since they're considered leaders in setting security regulations.

That framing isn't accidental. Whoever is behind this, the data being dumped publicly rather than ransomed suggests the goal is reputational damage, not money.

This is also the second confirmed breach of the Commission this year. In February 2026, attackers targeted its mobile device management system, potentially accessing staff contact data — names and phone numbers — though that incident was reportedly contained quickly.

None

What should you actually take from this?

Cloud misconfigurations and compromised credentials remain the most common entry points for attacks at this scale. It doesn't matter how good AWS's infrastructure is if the account accessing it is already compromised. Organizations — governments included — tend to invest heavily in perimeter defenses, while leaving cloud IAM policies, credential hygiene, and SSO configurations under-reviewed.

The DKIM key theft is also a reminder that a breach rarely ends at the initial data stolen. Those keys are a weapon that can be used for months, or even years, in follow-on attacks against everyone who trusts the EU Commission's email infrastructure.

The Commission's investigation is still ongoing. The full scope of what was taken hasn't been confirmed. But 350GB of data from the executive branch of the European Union is now floating on the dark web — and whoever put it there almost certainly isn't done with it.