The European Commission has confirmed a data breach after its Europa.eu web platform was hacked in a cyberattack claimed by the ShinyHunters extortion gang.

BleepingComputer first reported on Friday that this breach affects at least one of the Commission's AWS (Amazon Web Services) accounts.

The Commission says the attack didn't disrupt any Europa websites and that its staff took measures to contain the incident and prevent further data theft.

"Early findings of our ongoing investigation suggest that data have been taken from those websites. The Commission is duly notifying the Union entities who might have been affected by the incident. The Commission's services are still investigating the full impact of the incident," the European Union's main executive body said in a Friday press release published after BleepingComputer reached out for more details on the cyberattack.

"The Commission's internal systems were not affected by the cyber-attack. The Commission will continue to monitor the situation and take all necessary measures to ensure the security of its internal systems and data. It will analyse the incident and use the results to further enhance its cybersecurity capabilities."

While the Commission didn't share further information regarding the attack, the threat actor who claimed responsibility for the breach told BleepingComputer last week that they had stolen over 350 GB of data before their access was blocked, including multiple databases.

Although they didn't disclose how they breached the Commission's Amazon AWS accounts, they provided screenshots proving they had access to some European Commission employees' data.

Data extortion group ShinyHunters has also added an European Commission entry to its dark web leak site, claiming that the theft of "data dumps of mail servers, datavases, confidential documents, contracts, and much more sensitive material," and released an archive of over 90GB of files allegedly stolen from the Commission's compromised cloud environment.

In recent months, ShinyHunters has also claimed breaches at Infinite Campus, CarGurus, Canada Goose, Panera Bread, Betterment, SoundCloud, PornHub, and online dating giant Match Group (which owns multiple popular dating services, including Tinder, Hinge, Meetic, Match.com, and OkCupid).

Some of these victims were breached in a large-scale voice phishing (vishing) campaign that targeted single sign-on (SSO) accounts at Okta, Microsoft, and Google across more than 100 high-profile organizations.

The Commission also disclosed a data breach in February after discovering that the mobile device management platform it uses to manage staff's devices had been hacked.

These security breaches were disclosed after the Commission's proposed new cybersecurity legislation to strengthen member states' defenses against state-backed actors and cybercrime groups targeting their critical infrastructure.