ShinyHunters Claims Theft of Council of Europe HR and Payroll Data
ShinyHunters claimed it breached the Council of Europe and stole roughly 297 GB of data, saying it exfiltrated more than 429,000 files from multiple departments and threatening to publish the material unless the organization makes contact by June 16. The gang’s leak-site post described a haul spanning the Secretariat, human resources, payroll administration, parliamentary and conference-related units, and said the cache includes payslips, personnel files, CVs, payroll exports, contract records, and performance evaluations affecting more than 10,000 staff.
The allegedly stolen records contain highly sensitive personal data, including names, addresses, dates of birth, salaries, bank details, tax and social security information, and medical or absence records. The Council of Europe said it is investigating the claims and had not confirmed a breach at the time of reporting, while the incident was linked in coverage to ShinyHunters’ broader run of extortion and data-theft operations involving Salesforce-related intrusions, Snowflake customer breaches, and reported exploitation of an Oracle PeopleSoft zero-day.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Council of Europe says it is assessing ShinyHunters breach claims
The Council of Europe told BleepingComputer it was investigating and assessing ShinyHunters' claims but had not confirmed that a breach occurred. SecurityWeek likewise reported that the organization had not publicly acknowledged the incident at the time of reporting.
ShinyHunters claims Council of Europe breach and sets June 16 leak deadline
ShinyHunters posted that it had stolen roughly 297 GB of Council of Europe data, including more than 429,000 files from HR, payroll, and other departments, and threatened to publish the data unless contacted by June 16, 2026. The claimed haul allegedly affects over 10,000 staff and includes sensitive personal, financial, and medical information.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
ShinyHunters Claims Council of Europe Hack - SecurityWeek
securityweek.com
Open sourceCouncil of Europe investigates ShinyHunters data breach claims
bleepingcomputer.com
Open sourceShinyHunters Claims Theft of 297GB of Council of Europe Data; Claims Unconfirmed As Yet - Malware News - Malware Analysis, News and Indicators
malware.news
Open sourceRansomware Group shinyhunters Hits: coe.int
hookphish.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
ShinyHunters Data-Extortion Claims Target Crunchbase and Waltio
**Crunchbase** confirmed a cybersecurity incident after the **ShinyHunters** cybercrime group claimed it stole **over 2 million personal records**. ShinyHunters reportedly posted a **402 MB compressed archive** online after an extortion attempt failed, and Crunchbase stated the threat actor **exfiltrated certain documents from its corporate network**. Crunchbase said business operations were not disrupted, the incident was **contained**, external cybersecurity experts were engaged, and **federal law enforcement** was notified while the company reviews the exposed data to determine required legal notifications. In a separate ShinyHunters-linked extortion case, French crypto tax platform **Waltio** was reported to be facing a ransom threat tied to alleged theft of personal data for **nearly 50,000 users**, including threatened exposure of users’ **2024 tax reports**. Waltio stated its services and production systems remained secure and that **no sensitive banking or crypto access data** was compromised. The activity aligns with ShinyHunters’ established pattern of **data theft and leak-site pressure** when ransom demands are not met.
Mar 21, 2026
European Commission Confirms AWS-Hosted Cloud Breach and Data Theft
The European Commission disclosed a cyberattack affecting cloud infrastructure used to host websites on the `Europa.eu` platform, saying early findings indicate data was stolen from at least one AWS account in its environment. The Commission said it detected the incident on March 24 and took immediate containment measures, while stressing that its internal systems were not compromised and that AWS infrastructure itself was unaffected. It is notifying potentially affected Union entities and continues to investigate the scope and impact of the breach. Subsequent reporting linked the intrusion to **ShinyHunters**, which allegedly claimed to have taken more than **350GB** of data, including databases, and to still have access to a Commission email server. The cloud breach followed another security incident reported earlier in the year involving European Commission staff mobile devices and a mobile device management environment, with that separate intrusion reportedly associated with exploitation of **Ivanti EPMM**. Together, the incidents have intensified scrutiny of the Commission’s security posture across both cloud-hosted services and employee device management systems.
May 27, 2026
ShinyHunters Claims Large-Scale Data Theft From Dutch Telecom Odido
**ShinyHunters** has claimed responsibility for breaching Dutch telecommunications provider **Odido** (and brand **BEN**) and stealing a much larger dataset than the company initially indicated. Odido previously disclosed that attackers accessed its customer contact system and downloaded customer data, reporting the incident to the Dutch Data Protection Authority, cutting off attacker access, and bringing in external incident-response support. Odido said the exposed data varied by customer and could include identifiers and contact details such as name, address, mobile number, customer number, email address, **IBAN**, date of birth, and some ID details (e.g., passport/driver’s license numbers and validity), while stating that Mijn Odido passwords, call/location/data/billing details, and scans of identity documents were not exposed. ShinyHunters subsequently listed Odido on its leak site and alleged theft of **~21 million records** tied to **~8 million customers**, asserting Odido downplayed the scope. The gang’s claims also include highly sensitive elements—most notably **plaintext passwords**—and additional materials such as internal corporate documents and source code, which (if accurate) would materially increase risks of credential stuffing/account takeover, identity fraud, and follow-on intrusion. At the time of reporting, the expanded dataset details (including plaintext passwords and source code) were presented as **attacker claims** rather than independently confirmed by Odido.
Mar 26, 2026