CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

European Commission Investigates Breach in Mobile Device Management Platform

First reported
Last updated
2 unique sources, 4 articles

Summary

Hide ▲

The European Commission is investigating a second breach affecting its Amazon cloud infrastructure hosting the Europa.eu platform, which occurred on March 24, 2026. A threat actor, identified as ShinyHunters, claims to have stolen over 350GB of data, including databases, confidential documents, employee PII, DKIM keys, internal admin URLs, NextCloud data, and military financing data. The attacker stated no intention to extort the Commission but warned of potential secondary impacts such as identity risk and spear-phishing attacks. The breach was contained within hours, and the Commission is notifying affected entities while investigating the full impact. This follows the January 30, 2026 breach of the Commission’s mobile device management platform, linked to Ivanti EPMM vulnerabilities, which exposed staff names, phone numbers, and business email addresses and was contained within 9 hours. Separately, ShinyHunters has recently targeted Instructure’s Canvas platform, breaching it a second time to deface login portals for approximately 330 educational institutions, replacing standard pages with an extortion message and threatening to leak data if a ransom is not paid by May 12, 2026. Instructure confirmed data theft during the attack but continues investigating the incident.

Timeline

  1. 09.02.2026 11:49 4 articles · 2mo ago

    European Commission Detects Breach in Mobile Device Management Platform

    On January 30, 2026, the European Commission detected a cyberattack on its mobile device management platform, which may have exposed staff personal information. The incident was contained and the system cleaned within 9 hours. The breach is linked to vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM) software, similar to recent attacks on Dutch institutions. The compromised data includes names, phone numbers, and business email addresses of staff members. On March 24, 2026, the Commission confirmed a second breach targeting its Amazon cloud infrastructure hosting the Europa.eu platform. The attack was contained within hours, and the Commission took immediate steps to investigate and mitigate risks. The threat actor, ShinyHunters, claimed responsibility, alleging theft of over 350GB of data, including mail server dumps, databases, confidential documents, contracts, DKIM signing keys, internal admin URLs, NextCloud data, and military financing data. The Commission stated that its internal systems were not impacted and is notifying affected entities while analyzing the full impact. Early findings suggest data from the Europa websites may have been taken.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Instructure breach claimed by ShinyHunters results in theft of 280 million records from 8,809 schools and universities

Instructure confirmed a cybersecurity incident conducted by a criminal threat actor and is investigating the impact with external forensic experts. The ShinyHunters extortion gang has claimed responsibility and alleges theft of 280 million records tied to students and staff from 8,809 educational institutions, publishing detailed impact lists per institution. Multiple universities have acknowledged awareness of the breach and initiated internal reviews.

Open in new tab

Medtronic corporate network breach exposes over 9 million records, confirmed by vendor

Medical device manufacturer Medtronic confirmed a breach of its corporate IT systems after the ShinyHunters extortion group claimed to have stolen over 9 million records containing personally identifiable information (PII) and terabytes of corporate data. Medtronic states there is no impact to medical products, patient safety, customer networks, manufacturing, distribution, financial reporting, or its ability to meet patient needs, and notes its networks are segmented. The company is investigating whether personal data was accessed and will notify affected individuals if confirmed. MiniMed, Medtronic's diabetes-focused subsidiary, reported its own IT systems were not affected. The threat actor listed Medtronic on its leak site on April 17, setting a ransom deadline of April 21, and was later removed from the site, which may indicate payment. Medtronic’s corporate IT, product, manufacturing, and distribution networks are segmented, and customer hospital networks remain separate and independently managed by customers’ IT teams.

Open in new tab

Salesforce misconfiguration leads to non-sensitive data exposure at McGraw-Hill amid ShinyHunters extortion claims

McGraw-Hill confirmed a data breach affecting 13.5 million user accounts after ShinyHunters exploited a Salesforce environment misconfiguration to steal and leak non-sensitive data, including names, addresses, phone numbers, and email addresses. The company stated the breach did not impact its core Salesforce accounts, customer databases, courseware, or internal systems, though ShinyHunters claimed possession of 45 million records with PII. The affected webpages were secured promptly, and McGraw-Hill is collaborating with Salesforce to remediate the issue. Have I Been Pwned verified the leak of over 100GB of data tied to 13.5 million accounts. The incident remains distinct from a separate, unverified claim by a threat actor posing as ShinyHunters, who alleges breaching Vercel and selling stolen data, including API keys and employee records. Vercel has disclosed the incident and is investigating with law enforcement and incident response experts, while denying any impact to services.

Open in new tab

Rockstar Games analytics data exfiltrated via third-party Snowflake compromise linked to Anodot breach

The extortion group ShinyHunters has expanded its campaign tied to the Anodot breach, claiming unauthorized access to Vimeo’s systems and threatening to leak data unless a ransom is paid. The attack leverages authentication tokens stolen from Anodot to compromise downstream victims, including Vimeo and Rockstar Games. Vimeo confirmed that exposed data included email addresses, technical data, video titles, and metadata, but excluded video content, credentials, and payment information. Operations remained unaffected, and Vimeo disabled Anodot integration and launched an investigation with law enforcement. Rockstar Games previously acknowledged a limited breach linked to the same third-party incident, with ShinyHunters leaking approximately 78.6 million records of internal analytics data. The compromised datasets included in-game revenue metrics, player behavior tracking, and Zendesk support analytics, with Rockstar asserting no operational impact.

Open in new tab

Telus Digital Breach by ShinyHunters

Telus Digital, the business process outsourcing (BPO) arm of Canadian telecommunications provider Telus, has confirmed a security breach after threat actors known as ShinyHunters claimed to have stolen nearly 1 petabyte of data. The breach, which involved unauthorized access to a limited number of Telus Digital's systems, is currently under investigation. ShinyHunters claims to have accessed a wide range of customer data related to Telus' BPO operations and call records for Telus' consumer telecommunications division. The threat actors reportedly used Google Cloud Platform credentials discovered in data stolen during the Salesloft Drift breach to gain initial access. Telus has engaged cyber forensics experts and is working with law enforcement to manage the situation.

Open in new tab