CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

CERT-EU attributes European Commission cloud breach to TeamPCP with data exfiltration across 71 entities

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

The European Commission disclosed a breach of its Amazon cloud environment attributed to the TeamPCP threat group, resulting in the exposure of data belonging to 42 internal Commission entities and at least 29 additional EU Union entities. The intrusion, initially detected on March 24 — five days after the initial compromise — stemmed from a compromised AWS API key with management rights, stolen during the Trivy supply-chain attack, which was used to breach the Commission’s Amazon cloud infrastructure on March 10. TeamPCP subsequently leveraged cloud credential scanning tools like TruffleHog to locate and exfiltrate sensitive data, including tens of thousands of files with personal information, usernames, and email content. On March 28, the ShinyHunters data extortion group published a 90GB archive (340GB uncompressed) of the stolen dataset on a dark web leak site, containing personal data, email addresses, and content that may span multiple EU entities. No evidence of website defacement or lateral movement to other Commission AWS accounts was found.

Timeline

  1. 03.04.2026 09:33 1 articles · 2h ago

    TeamPCP compromises European Commission cloud via AWS API key; ShinyHunters publishes 90GB dataset

    On March 10, TeamPCP leveraged a compromised AWS API key (stolen during the Trivy supply-chain attack) with management rights to breach the European Commission’s Amazon cloud environment. The threat actor used TruffleHog to discover additional credentials and created a new access key tied to an existing user to evade detection before exfiltrating data. CERT-EU detected the intrusion on March 24 and publicly disclosed the breach on March 27. On March 28, ShinyHunters published a 90GB compressed archive (340GB uncompressed) of the exfiltrated data, including personal information and email content spanning multiple EU entities.

    Show sources
    Open in new tab

Information Snippets

  • The breach originated from a compromised AWS API key with administrative privileges, stolen during the Trivy supply-chain attack, and was used on March 10 to compromise the European Commission’s Amazon cloud environment.

    First reported: 03.04.2026 09:33
    1 source, 1 article
    Show sources

  • TeamPCP used TruffleHog to scan cloud environments for additional credentials, then created and attached a new access key to an existing user account to evade detection before conducting reconnaissance and exfiltrating data.

    First reported: 03.04.2026 09:33
    1 source, 1 article
    Show sources

  • CERT-EU confirmed that tens of thousands of files containing personal information, usernames, email addresses, and email content were exfiltrated, affecting 42 internal European Commission clients and at least 29 other EU Union entities via the europa.eu web hosting service.

    First reported: 03.04.2026 09:33
    1 source, 1 article
    Show sources

  • ShinyHunters published a 90GB compressed archive (approximately 340GB uncompressed) containing the stolen dataset on their dark web leak site on March 28, including lists of names, last names, usernames, and email addresses predominantly from European Commission websites.

    First reported: 03.04.2026 09:33
    1 source, 1 article
    Show sources

  • CERT-EU analysis identified at least 51,992 files related to outbound email communications totaling 2.22 GB, with ‘bounce-back’ notifications posing potential exposure risks due to embedded user-submitted content.

    First reported: 03.04.2026 09:33
    1 source, 1 article
    Show sources

  • CERT-EU stated no websites were taken offline or tampered with, and no lateral movement to other Commission AWS accounts was detected during the incident.

    First reported: 03.04.2026 09:33
    1 source, 1 article
    Show sources