leaksear.ch has indexed 1,798 European Commission DIGIT single sign-on user records linked to a ShinyHunters leak, with names, email addresses, usernames, and internal user IDs, and a breach date of March 22, 2026 (leaksear.ch metadata). DIGIT is the Commission's Directorate-General for Digital Services, the department responsible for digital services supporting Commission departments and EU institutions (commission.europa.eu).
What happened
The public incident context is the March 2026 breach of the European Commission's Europa.eu cloud-hosted web platform. The Commission said it discovered the cyberattack on March 24, 2026, affecting cloud infrastructure that hosted its Europa.eu web presence, and said early findings suggested data had been taken while Europa websites and internal systems were not disrupted (ec.europa.eu).
CERT-EU later assessed with high confidence that initial access came through the Trivy supply-chain compromise, after a threat actor obtained an AWS secret on March 19, 2026. CERT-EU said about 91.7 GB of compressed data was exfiltrated from the affected AWS account and that ShinyHunters made the stolen data publicly available on March 28, 2026 (cert.europa.eu).
BleepingComputer reported that ShinyHunters claimed to have stolen more than 350 GB of European Commission data and added a European Commission entry to its leak site, while the Commission did not publish detailed field-level exposure at the time of its initial statement (www.bleepingcomputer.com). The 1,798-record DIGIT SSO dataset indexed by leaksear.ch should be treated as a specific exposed subset, not as the full size of the broader Europa cloud incident (leaksear.ch metadata).
What data was exposed
The leaksear.ch indexing metadata lists email, name, and username as searchable fields for this leak (leaksear.ch metadata). Additional fields stored in the indexed records include display name, given name, family name, source name variants, and user ID (leaksear.ch metadata).
The metadata supplied for this indexed leak does not list passwords, password hashes, phone numbers, payment data, or national ID numbers (leaksear.ch metadata). CERT-EU's analysis of the broader published dataset also confirmed personal data such as names, last names, usernames, and email addresses, and said some outbound email-related files could contain user-submitted content in bounce-back messages (cert.europa.eu).
Why this matters
Names, work email addresses, and SSO usernames can help attackers tailor phishing, impersonation, and account-enumeration attempts against Commission-linked users and organizations. Security teams should review authentication telemetry for password-spray, reset, and suspicious SSO activity involving exposed identifiers, while individuals should treat unexpected Commission-themed messages with caution.
Because public sources describe a broader cloud-platform data theft alongside this smaller indexed SSO subset, affected EU entities should approach the leak as both an identity-exposure issue and a web-platform incident triage matter (cert.europa.eu, ec.europa.eu). To check whether your own email, name, or username appears in this leak, use the leaksear.ch exposure search for this dataset.
Check your exposure
Vetted researchers and incident-response teams can request access or sign in if they already have access to check this dataset. Searchable pivots for this leak include email, name, and username.