Executive Summary
On June 17, 2026, KDDI, one of Japan’s largest telecommunications providers, detected unauthorized access to its email system used by six major Japanese internet service providers (ISPs). The breach resulted in the confirmed exposure of approximately 12.23 million email addresses and 7.61 million passwords, with the potential compromise of up to 14.22 million sets of credentials. The incident was caused by the exploitation of a vulnerability in third-party software integrated into the email platform. While passwords were stored in hashed or encrypted form, KDDI has warned that they may still be at risk. The company responded by patching the vulnerability, implementing technical defense measures, and enforcing password resets for affected users. As of the latest reports, there is no evidence of secondary damage or misuse of the compromised data. Regulatory authorities have been notified, and KDDI is coordinating with affected ISPs to complete remediation and prevent recurrence.
Technical Information
The breach at KDDI was initiated through the exploitation of a vulnerability in third-party software used within its email system, which serves six Japanese ISPs: STNet, KDDI Web Communications, JCOM, Chubu Telecommunications, Nifty, and BIGLOBE. The attack vector aligns with MITRE ATT&CK technique T1190 (Exploit Public-Facing Application), where adversaries exploit weaknesses in internet-facing software to gain unauthorized access. All available evidence from primary sources confirms that the breach was not the result of phishing, credential stuffing, or malware deployment, but rather a direct exploitation of the software vulnerability.
Upon detection of the unauthorized access on June 17, 2026, KDDI immediately blocked the attackers and implemented technical countermeasures to prevent further damage. The company’s investigation, conducted in coordination with regulatory authorities, found no evidence of lateral movement, privilege escalation, or data exfiltration beyond the compromised email system. The breach affected both active and inactive user accounts, increasing the potential impact and risk of credential misuse.
No specific malware, exploit kits, or tools have been identified or disclosed in any of the primary sources. There is also no evidence of threat actor attribution, and the attack method is consistent with tactics used by both financially motivated and state-sponsored actors. The targeting of shared infrastructure in the telecommunications sector is notable, as it amplifies the scale of impact across multiple ISPs.
KDDI’s response included patching the exploited vulnerability, ramping up detection of fraudulent access attempts, and planning to use artificial intelligence to analyze software design specifications and programs for comprehensive issue identification. The company has urged all impacted users to change their email passwords immediately and is working with ISP partners to enforce mandatory password resets.
The compromised data includes email addresses and passwords, some of which were stored in hashed or encrypted form. However, KDDI has acknowledged the risk that these credentials may have been obtained by attackers. The company’s own consumer email services for mobile and fixed-line internet customers, which run on separate infrastructure, were not affected by this incident.
Affected Versions & Timeline
The breach specifically impacted the email system used by six Japanese ISPs: STNet, KDDI Web Communications, JCOM, Chubu Telecommunications, Nifty, and BIGLOBE. The affected system managed customer email accounts, webmail services, and email storage for these providers. The vulnerability was present in third-party software integrated into this shared platform.
The timeline of the incident is as follows: On June 17, 2026, KDDI detected unauthorized access and immediately blocked the attackers. The company notified affected ISPs and Japanese regulatory authorities on the same day. Public disclosure and media coverage occurred between June 23 and June 28, 2026. By July 7, 2026, KDDI had completed its forensic investigation and confirmed the scale of the data exposure, submitting a report to Japan’s communications ministry.
Threat Activity
The threat activity in this incident was limited to the exploitation of a vulnerability in third-party software used by the email system. There is no evidence of phishing, malware deployment, or credential stuffing. The attack did not extend beyond the compromised email system, and no lateral movement or privilege escalation was detected. The method used is consistent with MITRE ATT&CK technique T1190 (Exploit Public-Facing Application).
No threat actor attribution has been made by KDDI, law enforcement, or any reporting security firm as of July 7, 2026. The attack method is consistent with tactics used by both financially motivated and state-sponsored actors, but there is no technical evidence linking this breach to any known group. The targeting of shared infrastructure in the telecommunications sector is notable, as it amplifies the scale of impact across multiple ISPs.
Mitigation & Workarounds
KDDI and the affected ISPs have implemented several mitigation measures in response to the breach. The exploited vulnerability in the third-party software was patched immediately after detection. Technical defense measures were put in place to prevent further unauthorized access, including ramping up detection of fraudulent access attempts to servers. Impacted users have been urged to change their email passwords, and mandatory password resets are being enforced across all affected accounts. KDDI is also planning to use artificial intelligence to analyze software design specifications and programs to comprehensively identify potential issues and prevent recurrence.
From a customer perspective, the most critical actions are to change passwords for affected email accounts, especially if the same credentials are used on other services, and to enable two-factor authentication where available. Organizations using similar third-party software in their own environments should review their exposure, apply available patches, and monitor for suspicious activity.
Indicators of Compromise
The following caveat applies: Indicators of compromise (IOCs) are point-in-time and should be validated before enforcement. No public indicators of compromise were available at the time of writing.
References
The Japan Times, July 7, 2026: https://www.japantimes.co.jp/business/2026/07/07/companies/kddi-passwords-number/
Security Affairs, June 28, 2026: https://securityaffairs.com/194387/data-breach/kddi-data-breach-impacts-up-to-14-2-million-email-accounts-at-six-isps.html
The Record, July 7, 2026: https://therecord.media/major-japanese-telco-cyberattack-12-million-emails
About Rescana
Rescana provides a third-party risk management (TPRM) platform designed to help organizations identify, assess, and monitor risks in their digital supply chain. Our platform enables continuous monitoring of vendor security posture, rapid detection of emerging threats, and evidence-based risk analysis to support incident response and regulatory compliance. For questions about this report or to discuss how our capabilities can support your organization’s risk management needs, please contact us at info@rescana.com.



