ShinyHunters claimed a 350GB exfiltration from the European Commission’s AWS-hosted cloud environment, including mail server data, databases, and confidential documents, in a breach consistent with their documented SSO-federation abuse methodology. The attack surface involves Okta, Microsoft Entra ID, and Google Workspace SSO integrations with AWS, and follows a prior February 2026 breach of the same organization, indicating persistent targeting. Organizations sharing SSO federation with affected tenants or operating similar AWS/SSO architectures should immediately audit CloudTrail for anomalous data access events, enforce phishing-resistant MFA on all federated identity providers, and review OAuth token grants for over-permissive third-party application access.