The Council of Europe has a problem, and it's not a political one. Over the weekend, the continent's oldest intergovernmental body—which represents 46 member states and over 700 million people—confirmed it is investigating a massive alleged data breach. The group behind the claims is ShinyHunters, a gang of seasoned extortionists who have spent the last six years making life miserable for enterprise SaaS platforms and major brands.
ShinyHunters claims to have stolen upwards of 429,000 documents containing sensitive HR and payroll records. The group posted proof of the breach on their dark web leak site, accompanied by a ticking clock. They set a hard deadline for Tuesday, June 16, 2026. If the Council of Europe doesn't respond by then, ShinyHunters threatens to publish the entire database and launch a wave of digital disruptions.
When BleepingComputer reached out to the Council of Europe's media department, they didn't deny the incident. Instead, they issued a brief, boilerplate statement: "We are currently investigating the matter and assessing the situation. We have no further comment to make at this stage." That's standard crisis communications speak for "we're scrambling behind the scenes."
And they should be. The Council of Europe is one of the most prominent human rights organizations in the world. It promotes democracy and the rule of law. A breach of this scale doesn't just expose files; it compromises the personal security of the people working to maintain these European institutions.
Quantifying the Damage: What Was Stolen?
Let's look at the numbers. They're bad. ShinyHunters claims the haul includes more than 409,000 payslips for over 10,000 staff members. The files allegedly span a fifteen-year period, from 2011 to 2026. That is a massive historical archive.
But the payslips are only part of the story. The threat actors also claim to have snatched:
- Over 3,700 in-house personnel files
- More than 14,000 curriculum vitaes (CVs)
- Assorted internal HR documents
Think about what is actually in those documents. We're talking about names, dates of birth, home addresses, phone numbers, and employee ID codes. Worse, payroll files contain bank account numbers, tax details, and Social Security information. Adding to the nightmare, the files reportedly contain medical records and salary histories.
For a staff member at a human rights organization, this exposure is hazardous. It isn't just about identity theft. These individuals often handle sensitive dossiers. If their home addresses, phone numbers, and bank accounts are leaked, they become vulnerable to targeted coercion, doxxing, or phishing. This isn't theoretical risk; it is a direct threat to the safety of international civil servants.
The ShinyHunters Playbook: Bypassing the Perimeter
To understand how this happened, you have to understand how ShinyHunters operates. They don't waste time banging on secure firewalls. They find the doors that organizations leave unlocked. According to research from DoControl, the group's tactics are built on exploiting modern SaaS complexities and critical vulnerabilities, such as the Oracle PeopleSoft RCE.
Here's the usual playbook they run:
First, they abuse OAuth tokens. Modern enterprise tools are interconnected. A CRM connects to your email. An HR platform connects to a chatbot. ShinyHunters targets a single, weak third-party integration. Once they compromise it, they steal the OAuth token. Because tokens represent pre-authorized entries, they bypass multi-factor authentication entirely. The attacker is already in. This was the exact method they used in the Salesloft Drift breach of August 2025, which compromised 760 Salesforce customers in a single blow.
Second, they scan for SaaS misconfigurations. They love finding public guest profiles on platforms like Salesforce Experience Cloud. They also scan public GitHub repositories for hardcoded API keys and credentials that developers accidentally left behind.
Then there is vishing. ShinyHunters has weaponized AI-powered voice phishing. They use AI platforms to run automated calls that mimic corporate helpdesks or HR agents. In the August 2025 Workday breach, they used these calls to trick support workers into handing over credentials. Once inside the customer support ticket system, they gathered email addresses and phone numbers structure-wide.
While we don't know the exact entry point for the Council of Europe hack yet, it's highly likely they capitalized on one of these vectors. An over-privileged token, a developer's mistake on GitHub, or an employee falling for a voice clone. The perimeter did not fail. The configuration did.
A History of High-Profile Disruptions
ShinyHunters isn't a new threat. They first appeared around May 2020 on the dark web, offering millions of stolen customer records from sites like Tokopedia, a major Indonesian e-commerce platform. They quickly established themselves as a premier black-hat cartel, selling databases on BreachForums and dark net marketplaces like Empire and RaidForums.
Over the years, their victim list has grown to include some of the leading names in tech, retail, and corporate services:
- Microsoft GitHub: In 2020, they exfiltrated 500GB of private repositories.
- Wattpad: Stole 271 million user records, selling them for $100,000 before leaking them.
- Salesforce Data Loader Campaign (2025): Compromised over 200 instances using vishing and data tools.
- Louis Vuitton & LVMH (2025): Maintained access for a month, stealing customer transaction histories across several continents.
- Kering (2025): Breached brands including Gucci, Balenciaga, and Alexander McQueen.
- Pizza Hut Australia (2023): Compromised cloud buckets containing 30 million customer records.
Law enforcement has tried to shut them down. In 2022, French citizen Sébastien Raoult was arrested in Morocco and extradited to the United States. He was sentenced in early 2024 to three years in prison. In June 2025, French police arrested four more suspects linked to the administration of BreachForums.
But these arrests didn't kill the group. They merely slowed them down. ShinyHunters continues to operate under the leadership of a persona known as "ShinyCorp" or "sp1d3rhunters." Threat intelligence teams, including Google, track their activities under various clusters like UNC6040, UNC6240, and UNC6661. They are resilient, highly organized, and financially motivated.
Broader Implications for Intergovernmental Security
This breach raises uncomfortable questions about how international organizations protect their data. The Council of Europe is not a commercial enterprise. It does not have a marketing database full of retail shoppers. It holds diplomatic secrets and personnel files of human rights defenders.
If ShinyHunters carries out its threat to leak the 429,000 documents, the fallout will stretch beyond standard credit monitoring offerings. Because the Council has 46 member states, the data is subject to complex international jurisdiction challenges. Yet, the absolute priority must be protecting the personnel who keep these courts and assemblies running.
Ransomware and extortion gangs have learned that intergovernmental bodies often have fragmented security leadership. A centralized security policy is difficult to enforce when tens of thousands of staff are spread across dozens of departments and jurisdictions. ShinyHunters knows this. They are betting that the Council will choose to pay rather than face a massive public exposure of its staff's salaries, medical records, and bank accounts.
As the June 16, 2026 deadline approaches, the Council of Europe must decide how to respond. Paying a ransom to a well-known cybercriminal gang only funds future campaigns. But the cost of a leak is measured in human safety and institutional trust. For Ava Chen, this looks like another case where the perimeter was guarded, but the SaaS backdoor was left wide open.