John Z Black
Brunswick, ME • (207) 245-1010 • contact@johnzblack.com
Around March 24, the European Commission confirmed data had been taken from its Europa.eu platform. ShinyHunters is claiming credit, and the Commission confirmed the breach while declining to corroborate the volume the group is claiming.
The more useful story isn’t what they took. It’s how they keep doing this.
ShinyHunters has been running the same playbook since around 2020. Ticketmaster, 560 million records. Santander. Dozens of Snowflake customers. Infinite Campus, Panera Bread, SoundCloud. The list is long and not random. These are organizations that move large amounts of data through cloud infrastructure, often with monitoring that can’t keep pace with the complexity of their environments.
The Snowflake campaign is the clearest example of how they work. They didn’t break Snowflake. They got credentials, often through earlier breaches or infostealer malware, and logged in as legitimate users. With the right permissions, the data’s just sitting there. No exploit needed. No alert fired.
The group has survived arrests, indictments, extraditions. Members cycle out and get replaced. Operationally, they keep going.
For the Commission specifically, there’s a detail worth noting: they run their web infrastructure on American cloud. The Commission also regulates how American tech companies handle European data. That irony isn’t the point, but it’s worth a moment.
The entry vector for this breach hasn’t been publicly confirmed. When it is, that’s the piece to pay attention to. Not how many gigabytes ShinyHunters says they have.