Today is the day that I report on organizations and individuals getting pwned.
The European Commission has confirmed a cyberattack affecting its Europa.eu web platform, with early findings indicating that data was extracted from cloud infrastructure hosted on Amazon Web Services (AWS). The incident was discovered on March 24, 2026, and officials said the breach was contained while an investigation into the full scope remains ongoing.
Hackers linked to the ShinyHunters group have claimed responsibility, alleging they accessed and stole more than 350GB of data, including databases and internal documents. The European Commission has not verified the full extent of the stolen data but confirmed that some data was taken and that affected entities are being notified.
The Commission stated that its internal systems were not impacted, with the attack limited to externally hosted cloud services supporting its public-facing websites. Authorities continue to assess the incident and determine what information may have been accessed while implementing additional security measures.
Lydia Zhang, President & Co-Founder,Ridge Security Technology Inc. served up this comment:
“Continuously exposed external digital assets, such as public websites and AWS S3 buckets, have become prime attack targets, especially with the rise of AI-driven automated threats. Organizations must strengthen their security posture; continuously scanning, testing, and remediating vulnerabilities across these interfaces is no longer optional, but essential.”
Noelle Murata, Sr. Security Engineer, Xcape, Inc. provided this comment:
“The business impact has escalated from a simple web defacement to a massive Identity and Access Management (IAM) crisis, as the breach likely involves the theft of DKIM keys and SSO directories. This means the adversary can now generate perfectly authenticated emails that bypass DMARC checks, turning the Commission’s own reputation into a weapon for secondary spear-phishing campaigns across the EU.
“The technical post-mortem indicates a failure of “Identity Hygiene” rather than a cloud security flaw; AWS has publicly cleared its own name, pointing to compromised credentials – likely harvested via the group’s signature vishing tactics against IT helpdesks. For defenders, the priority is no longer just “containing” the breach but an immediate, wholesale rotation of all cloud-based signing keys and a mandatory password reset for the entire SSO tenant. Furthermore, organizations interacting with the EC should treat all incoming “official” correspondence with extreme skepticism, even if it passes cryptographic validation.
“The reality is that if your identity provider is compromised, your “secure” cloud is effectively an open book.
“The EU is about to find out that “GDPR Compliance” is a lot harder to enforce when you’re the one filling out the self-report form.”
Phil Wylie, Senior Consultant & Evangelist, Suzu Labs adds this:
“This attack shows that threat actors do not always need to penetrate core internal networks to create risk. Public-facing cloud environments often contain valuable operational data that can support reconnaissance, social engineering, and follow-on attacks.
“Most cloud breaches are not failures of the provider but issues around identity security, access management, or configuration. The real lesson here is that organizations need stronger visibility into how cloud data is accessed and moved, not just whether malware is present.
“Even if the affected systems were isolated, any confirmed data exfiltration should be treated as potential intelligence exposure that could enable future targeting.”
Rajeev Raghunarayan, Head of GTM, Averlon had this to say:
“Cloud breaches are rarely contained to the system where the compromise started. The real question is what that system had access to, regardless of whether it was considered external or internal. Public-facing applications are often connected to backend services, databases, and storage, and a compromise can expose far more than the initial entry point suggests. The separation between external and internal systems can limit blast radius, but only if access across those layers is tightly controlled, whether through network paths, vulnerabilities, misconfigurations, or identity permissions.
“The priority for organizations is understanding what data and systems were reachable from the compromised environment, not just what was directly affected. That potential blast radius is what determines the true impact and guides an effective response.”
It’s days like this that make me wonder if there’s no going back and that organizations getting pwned is now the new normal. But we cannot believe that is true. Instead more effort needs to be put into making sure that this starts to get addressed so that pwnage becomes an edge case as opposed to the new normal.
UPDATE: Gidi Cohen, CEO & Co-founder, Bonfy.AI had this to say:
“Modern incidents like the European Commission’s cloud breach are less about a single misconfigured account and more about sprawling unstructured content moving across websites, SaaS apps, storage buckets, AI systems, and agents without unified, context‑aware governance. Cloud security posture management and traditional DLP/DSPM remain necessary, but they are no longer sufficient on their own; without adaptive content controls that understand the people, customers, and citizens behind the data, organizations will continue to be surprised by where sensitive information surfaces when a breach hits.
What matters now is not just where data lives but how it flows: public platforms and “content systems” quietly accumulate regulated and entity‑specific data in logs, backups, CMSes, and object stores, while AI and automation continuously read from and write to those same stores, creating a dense web of human, system, and agent access paths that legacy tools do not see end to end. In that environment, a cloud compromise becomes a test of whether an organization can quickly answer the only questions regulators and boards truly care about, whose data was exposed, through which systems, and how far it has already propagated.”
The EU Gets Pwned By ShinyHunters
Posted in Commentary with tags EU, Hacked on March 30, 2026 by itnerdToday is the day that I report on organizations and individuals getting pwned.
The European Commission has confirmed a cyberattack affecting its Europa.eu web platform, with early findings indicating that data was extracted from cloud infrastructure hosted on Amazon Web Services (AWS). The incident was discovered on March 24, 2026, and officials said the breach was contained while an investigation into the full scope remains ongoing.
Hackers linked to the ShinyHunters group have claimed responsibility, alleging they accessed and stole more than 350GB of data, including databases and internal documents. The European Commission has not verified the full extent of the stolen data but confirmed that some data was taken and that affected entities are being notified.
The Commission stated that its internal systems were not impacted, with the attack limited to externally hosted cloud services supporting its public-facing websites. Authorities continue to assess the incident and determine what information may have been accessed while implementing additional security measures.
Lydia Zhang, President & Co-Founder,Ridge Security Technology Inc. served up this comment:
“Continuously exposed external digital assets, such as public websites and AWS S3 buckets, have become prime attack targets, especially with the rise of AI-driven automated threats. Organizations must strengthen their security posture; continuously scanning, testing, and remediating vulnerabilities across these interfaces is no longer optional, but essential.”
Noelle Murata, Sr. Security Engineer, Xcape, Inc. provided this comment:
“The business impact has escalated from a simple web defacement to a massive Identity and Access Management (IAM) crisis, as the breach likely involves the theft of DKIM keys and SSO directories. This means the adversary can now generate perfectly authenticated emails that bypass DMARC checks, turning the Commission’s own reputation into a weapon for secondary spear-phishing campaigns across the EU.
“The technical post-mortem indicates a failure of “Identity Hygiene” rather than a cloud security flaw; AWS has publicly cleared its own name, pointing to compromised credentials – likely harvested via the group’s signature vishing tactics against IT helpdesks. For defenders, the priority is no longer just “containing” the breach but an immediate, wholesale rotation of all cloud-based signing keys and a mandatory password reset for the entire SSO tenant. Furthermore, organizations interacting with the EC should treat all incoming “official” correspondence with extreme skepticism, even if it passes cryptographic validation.
“The reality is that if your identity provider is compromised, your “secure” cloud is effectively an open book.
“The EU is about to find out that “GDPR Compliance” is a lot harder to enforce when you’re the one filling out the self-report form.”
Phil Wylie, Senior Consultant & Evangelist, Suzu Labs adds this:
“This attack shows that threat actors do not always need to penetrate core internal networks to create risk. Public-facing cloud environments often contain valuable operational data that can support reconnaissance, social engineering, and follow-on attacks.
“Most cloud breaches are not failures of the provider but issues around identity security, access management, or configuration. The real lesson here is that organizations need stronger visibility into how cloud data is accessed and moved, not just whether malware is present.
“Even if the affected systems were isolated, any confirmed data exfiltration should be treated as potential intelligence exposure that could enable future targeting.”
Rajeev Raghunarayan, Head of GTM, Averlon had this to say:
“Cloud breaches are rarely contained to the system where the compromise started. The real question is what that system had access to, regardless of whether it was considered external or internal. Public-facing applications are often connected to backend services, databases, and storage, and a compromise can expose far more than the initial entry point suggests. The separation between external and internal systems can limit blast radius, but only if access across those layers is tightly controlled, whether through network paths, vulnerabilities, misconfigurations, or identity permissions.
“The priority for organizations is understanding what data and systems were reachable from the compromised environment, not just what was directly affected. That potential blast radius is what determines the true impact and guides an effective response.”
It’s days like this that make me wonder if there’s no going back and that organizations getting pwned is now the new normal. But we cannot believe that is true. Instead more effort needs to be put into making sure that this starts to get addressed so that pwnage becomes an edge case as opposed to the new normal.
UPDATE: Gidi Cohen, CEO & Co-founder, Bonfy.AI had this to say:
“Modern incidents like the European Commission’s cloud breach are less about a single misconfigured account and more about sprawling unstructured content moving across websites, SaaS apps, storage buckets, AI systems, and agents without unified, context‑aware governance. Cloud security posture management and traditional DLP/DSPM remain necessary, but they are no longer sufficient on their own; without adaptive content controls that understand the people, customers, and citizens behind the data, organizations will continue to be surprised by where sensitive information surfaces when a breach hits.
What matters now is not just where data lives but how it flows: public platforms and “content systems” quietly accumulate regulated and entity‑specific data in logs, backups, CMSes, and object stores, while AI and automation continuously read from and write to those same stores, creating a dense web of human, system, and agent access paths that legacy tools do not see end to end. In that environment, a cloud compromise becomes a test of whether an organization can quickly answer the only questions regulators and boards truly care about, whose data was exposed, through which systems, and how far it has already propagated.”
Leave a comment »