Around March 24, the European Commission confirmed what it probably didn’t want to confirm: data had been taken from its Europa.eu web platform.¹ The infrastructure in question runs on AWS. ShinyHunters is claiming credit, has dropped over 90GB of files on their dark web leak site, and says they have 350GB total.² The Commission confirmed the breach and confirmed data was taken.¹ It did not confirm the volume.

That distinction matters. So does the broader picture.

Because ShinyHunters isn’t a one-time headline. They’re a repeating pattern, and they’ve been running this playbook long enough that it deserves to be understood on its own terms.

Who They Are

ShinyHunters emerged around 2020 and built a reputation fast. Not through sophisticated zero-days or nation-state-level tradecraft. Through persistence, cloud access, and the willingness to hit large targets at scale.

Their track record is long. Ticketmaster, 560 million records. Santander. A wave of Snowflake customers that turned into one of the more significant credential-harvesting campaigns in recent memory. Infinite Campus, CarGurus, Canada Goose, Panera Bread, Betterment, SoundCloud. The list isn’t random. These are organizations that move serious amounts of data through cloud infrastructure, often without the kind of monitoring that would catch a quiet, methodical intruder before significant damage is done.

That’s the common thread. Not a specific industry. Not a specific country. Cloud infrastructure, large data volumes, institutions that have grown fast enough that their security controls haven’t always kept pace.

The Commission Breach

The official statement from the European Commission was careful. “Early findings of our ongoing investigation suggest that data have been taken from those websites.”³ They were clear that internal systems were not affected. That qualifier is doing real work: what was hit was the web-facing infrastructure, the public platform, not the core back-end systems. But web infrastructure at an organization the size of the Commission isn’t nothing. It holds real data. User data, system data, potentially more.

ShinyHunters is claiming they accessed mail servers, databases, confidential documents, and contracts. Those are attacker claims. They haven’t been independently verified, and the Commission hasn’t corroborated them. Treat them accordingly. What’s confirmed is that data was taken. The rest is negotiating posture.

The 90GB release on their leak site fits the group’s standard pressure play. Publish a portion, hold the rest, watch what happens. Sometimes organizations pay. Sometimes they don’t. Either way, ShinyHunters walks away with the data and a new line on their resume.

The entry vector hasn’t been publicly disclosed. That’s frustrating but not unusual. Attribution takes time, and organizations generally don’t announce exactly how they got hit while the investigation is still open.

One detail worth noting, without belaboring it: the European Commission is also the body that regulates how American tech companies handle European data. The breach came through American cloud infrastructure. Make of that what you will.

Why They Keep Working

The honest answer is that cloud environments are hard to defend at scale, and ShinyHunters has gotten good at finding the gaps.

This isn’t about finding a single exotic vulnerability. It’s about systematic targeting. Large organizations that rely heavily on cloud infrastructure tend to have complex environments. Many vendors, many integrations, credentials distributed across dozens of teams. That complexity creates surface area. ShinyHunters finds it.

The Snowflake campaign is the clearest example. They didn’t break Snowflake. They obtained credentials, often through infostealer malware or earlier breaches, and used them to log in as legitimate users. Once inside a Snowflake environment with the right permissions, the data is just sitting there. No exploit needed. No alarm trip. Just access.

It’s a useful reminder that “our internal systems weren’t affected” often means “the attacker got what they wanted through the path that was easier to access.” The web platform, the contractor environment, the third-party integration. These aren’t secondary systems in terms of data exposure, even if they’re secondary in terms of organizational priority.

What Makes This Group Different

A lot of threat actors hit a few targets and go quiet. ShinyHunters has been operating continuously for years, adapting, and still landing significant breaches. That’s not luck.

They’ve gone through legal pressure. Members have been arrested, indicted, extradited. The group keeps operating. That suggests either that enough of the operation is decentralized to survive individual takedowns, or that there’s enough turnover and recruitment to replace lost members, or both.

The combination of operational continuity and a consistent methodology is what makes them worth taking seriously. This isn’t a group that tried something once and got famous. They built a repeatable approach and kept scaling it.

The Takeaway

The European Commission breach will generate a lot of coverage about what was taken, who’s affected, and what the Commission is doing to respond. Some of that coverage will be useful. A lot of it will be speculation dressed up as reporting.

The more useful frame is this: a threat actor with a multi-year track record of successful cloud infrastructure breaches just added one of the world’s largest regulatory bodies to their target list. And the method, whatever it turns out to be, will almost certainly rhyme with what they’ve done before. Cloud access. Credential abuse or some form of unauthorized entry. Large data exfiltration. Public pressure.

If your organization runs significant workloads in cloud environments and you’re not actively monitoring for the kind of lateral movement and data staging that precedes an exfiltration event like this, you are probably not ready for the version of ShinyHunters that shows up next. Not because you’re the European Commission. Because you’re exactly the kind of target they look for.

The Commission’s investigation is ongoing. More will come out. When it does, the entry vector will be the thing worth paying attention to, not the volume ShinyHunters is claiming to hold.