Cyber Incident Victim: KDDI
Date:
Jun 2026
Location:
Japan
Summary
KDDICorporation detected unauthorized access to its shared email system after attackers exploited a vulnerability in undisclosed third‑party software, leading to the potential exposure of up to 14.2 million email addresses and passwords belonging to current, former and inactive customers of the provider and five other Japanese ISPs. Upon discovery, the attacker was blocked and technical countermeasures were applied, while the provider notified affected ISPs and Japanese regulatory authorities and began an ongoing investigation. No malware, phishing or credential stuffing was involved, and no indicators of compromise or threat actor attribution have been released. The compromised data includes email addresses and passwords, some stored in hashed or encrypted form, though the exact protection methods have not been disclosed.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 0 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
OnJune 17, 2026, KDDI Corporation detected unauthorized access to its email system, which is shared with five other Japanese internet service providers: STNet, Inc., JCOM Co., Ltd., Chubu Telecommunications C., Inc., NIFTY Corporation, and BIGLOBE Inc. The breach resulted from the exploitation of a vulnerability in unnamed third‑party software used in the email system. As a consequence, up to 14.2 million email addresses and passwords may have been exposed, affecting current, former, and inactive customers of the impacted ISPs. The specific version of the vulnerable software has not been disclosed. No evidence of phishing, credential stuffing, or malware deployment was found as the initial access vector.
Upon detection, KDDI immediately blocked the attacker and implemented technical countermeasures to prevent further unauthorized access. The company began notifying the affected ISPs and Japanese regulatory authorities, including the Personal Information Protection Commission and the Ministry of Internal Affairs and Communications, on the same day. Public disclosure of the incident occurred between June 23 and June 28, 2026. KDDI stated that the investigation is ongoing and that no technical indicators of compromise, such as file hashes, malicious domains, or IP addresses, have been made public. No threat actor attribution has been established by KDDI, law enforcement, or any reporting security firm.
The compromised data consists of email addresses and passwords; KDDI indicated that some passwords were stored in hashed or encrypted form, but the exact encryption methods and the proportion of accounts stored in plaintext versus protected formats have not been disclosed. There is no indication of lateral movement, privilege escalation, or data exfiltration beyond the email system. The attack aligns with the MITRE ATT&CK technique T1190 (Exploit Public‑Facing Application). The patch status for the exploited third‑party software remains unknown, and the investigation continues to determine the full scope and technical details of the breach.