ACCORDING to CERT-EU, the European Commission’s Europa web hosting platform on AWS was breached via the Trivy supply chain compromise (CVE-2026-33634), with initial access on 19 March, detection on 24 March, and notification to CERT-EU on 25 March. The breach exposed 340 GB uncompressed (91.7 GB compressed) of data and around 52,000 email-related files, affecting 71 clients including 42 internal European Commission departments and 29 other EU entities.
ShinyHunters published the stolen data on 28 March, and CERT-EU confirmed no lateral movement to other Commission AWS accounts. Sportradar AG’s breach was confirmed as a systemic compromise jointly operated by TeamPCP and Vect, with entry via the Trivy CVE, exposing approximately 26,000 users’ personal data, 23,169 athlete records, and a client table listing 161 organisations such as ESPN, Nike, NBA Asia and IMG Arena.
The incident also revealed credentials exposure, including 8 production RDS passwords and 328 API key/secret pairs. Mandiant estimated the campaign affected over 1,000 SaaS environments and perhaps 500,000 machines across all victims.