Executive Summary
On June 17, 2026, KDDI Corporation, one of Japan’s largest telecommunications providers, detected unauthorized access to its email system, which is shared with five other Japanese internet service providers (ISPs). The breach was caused by exploitation of a vulnerability in unnamed third-party software used in the email system. As a result, up to 14.2 million email addresses and passwords may have been exposed, affecting current, former, and inactive customers of the impacted ISPs. Upon discovery, KDDI immediately blocked the attacker, implemented technical countermeasures, and began notifying affected ISPs and Japanese regulatory authorities. The company is working with all stakeholders to mitigate risks, urging customers to reset passwords and enable two-factor authentication where available. No technical indicators of compromise or threat actor attribution have been disclosed as of the time of this report. The investigation is ongoing, and further technical details may emerge.
Technical Information
The breach at KDDI Corporation was the result of exploitation of a vulnerability in third-party software integrated into its email system, which is also used by five other Japanese ISPs: STNet, Inc., JCOM Co., Ltd., Chubu Telecommunications C., Inc., NIFTY Corporation, and BIGLOBE Inc. The attacker gained unauthorized access to the email system, potentially exposing up to 14.2 million email addresses and passwords. The incident was detected on June 17, 2026, after which KDDI promptly blocked the attacker and implemented defensive measures.
The technical root cause is explicitly attributed to a software vulnerability in a public-facing application, mapped to the MITRE ATT&CK technique T1190 (Exploit Public-Facing Application). This technique involves adversaries exploiting weaknesses in internet-facing software to gain unauthorized access. All primary sources confirm that the breach was not the result of phishing, credential stuffing, or malware deployment, but rather a direct exploitation of the software vulnerability.
Upon detection, KDDI implemented immediate technical countermeasures, including blocking the attacker and modifying the affected system to prevent further damage. The company also began a coordinated response with the affected ISPs and notified Japan’s Personal Information Protection Commission and the Ministry of Internal Affairs and Communications, as required by regulatory frameworks.
The compromised data includes email addresses and passwords. While KDDI states that some passwords were stored in hashed or encrypted form, the company has not disclosed the specific encryption methods or the proportion of accounts stored in plaintext versus protected formats. This lack of detail introduces uncertainty regarding the risk of credential abuse. The exposure affects not only active users but also former and inactive accounts, increasing the potential impact.
No malware, exploit kits, or specific tools have been identified or disclosed in any of the primary sources. There is also no evidence of lateral movement, privilege escalation, or data exfiltration beyond the email system. The absence of technical indicators such as file hashes, malicious domains, or IP addresses limits the ability of organizations to proactively detect related activity in their environments.
No threat actor attribution has been made by KDDI, law enforcement, or any reporting security firm as of June 28, 2026. The attack method is consistent with tactics used by both financially motivated and state-sponsored actors, but there is no technical evidence linking this breach to any known group. The targeting of shared infrastructure in the telecommunications sector is notable, as it amplifies the scale of impact across multiple ISPs.
The incident triggered regulatory notification and compliance actions, with KDDI reporting to Japan’s Personal Information Protection Commission and the Ministry of Internal Affairs and Communications. The company is working with affected ISPs to implement additional security controls and to notify customers. Customers are strongly advised to reset their email account passwords and enable two-factor authentication where available.
The investigation into the full scope and technical details of the breach is ongoing. As of the time of this report, no technical indicators of compromise or further details about the exploited vulnerability have been made public.
Affected Versions & Timeline
The breach affected the email system operated by KDDI Corporation and shared with the following ISPs: STNet, Inc., JCOM Co., Ltd., Chubu Telecommunications C., Inc., NIFTY Corporation, and BIGLOBE Inc. The specific third-party software and its version remain undisclosed.
The timeline of verified events is as follows: On June 17, 2026, KDDI detected unauthorized access to its email system, blocked the attacker, and implemented technical countermeasures. On the same day, KDDI began notifying affected ISPs and relevant Japanese authorities, including the Personal Information Protection Commission and the Ministry of Internal Affairs and Communications. Public disclosure of the breach and media coverage occurred between June 23 and June 28, 2026.
The compromised data includes up to 14.2 million email addresses and passwords, affecting current, former, and inactive users. The investigation is ongoing, and the exact breakdown of affected accounts and password storage methods has not been disclosed.
Threat Activity
The threat activity in this incident centers on the exploitation of a vulnerability in third-party software used in KDDI’s email system. The attacker gained unauthorized access to the system, potentially exposing a large volume of email credentials. There is no evidence of malware deployment, phishing, or credential stuffing as the initial access vector. The attack is mapped to the MITRE ATT&CK technique T1190 (Exploit Public-Facing Application).
No threat actor attribution has been made, and there are no technical indicators linking this breach to any known group or campaign. The attack method is consistent with tactics used by both financially motivated and state-sponsored actors targeting telecommunications infrastructure, but no unique indicators or patterns have been disclosed.
The breach specifically targeted the telecommunications and ISP sector in Japan, leveraging a shared email system to maximize impact. This pattern of targeting shared infrastructure is notable but not unique to this incident.
Mitigation & Workarounds
The following mitigation steps have been confirmed by primary sources and are prioritized by severity:
Critical: All affected customers are strongly advised to reset their email account passwords immediately. If two-factor authentication (2FA) is available, it should be enabled to provide an additional layer of security.
High: KDDI and affected ISPs have implemented technical countermeasures to block the attacker and prevent further unauthorized access. The company is working with regulatory authorities to ensure compliance and to coordinate additional security measures.
Medium: Customers should monitor their accounts for signs of unauthorized access and be alert for phishing attempts that may leverage exposed credentials.
Low: Organizations using similar third-party software in their own environments should review their exposure and apply available patches or mitigations, even though the specific software and version have not been disclosed.
The patch status for the exploited third-party software is not known at this time. Customers and organizations should remain vigilant and follow updates from KDDI and affected ISPs as the investigation progresses.
Indicators of Compromise
At the time of writing, no public indicators of compromise (IOCs) have been disclosed in any primary source. Organizations should monitor for updates from KDDI and relevant authorities, and validate any future indicators before enforcement.
References
https://www.bleepingcomputer.com/news/security/data-breach-exposes-up-to-142-million-email-logins-at-six-isps/ (June 28, 2026)
https://securityaffairs.com/194387/data-breach/kddi-data-breach-impacts-up-to-14-2-million-email-accounts-at-six-isps.html (June 28, 2026)
https://www.infosecurity-magazine.com/news/kddi-breach-japanese-telcos/ (June 24, 2026)
About Rescana
Rescana provides a third-party risk management (TPRM) platform designed to help organizations identify, assess, and monitor risks in their digital supply chain. Our platform enables continuous monitoring of vendor security posture, supports regulatory compliance, and delivers actionable insights for incident response and risk mitigation. For questions about this report or to discuss how our capabilities can support your organization’s risk management needs, contact us at info@rescana.com.
