The Breach and Scale
Japanese telecom giant KDDI has disclosed a significant data breach affecting over 12 million individuals. The incident, discovered on June 17, 2026, involved attackers infiltrating an email platform used by five internet service providers (ISPs): STNet, JCOM, Chubu Telecommunications, NIFTY Corporation, and BIGLOBE. The company is the second largest mobile provider in Japan, with approximately 45,000 employees. The attackers gained access to the email addresses of 12,233,087 people and the passwords of 7,616,173 others. While some passwords were stored in hashed or encrypted form, KDDI did not specify how many were in plaintext.
Attack Vector and Response
According to KDDI, the attackers gained initial access on May 16 by exploiting a zero day vulnerability in a third party software product. The software vendor was reportedly unaware of the flaw at the time KDDI identified it. KDDI has since blocked the attackers, deployed endpoint detection and response (EDR) software, and confirmed through a forensic audit on June 23 that the vulnerability has been patched. The company is now forcing password resets for affected email accounts across the impacted ISPs. KDDI also notified Japan’s Personal Information Protection Commission and the Ministry of Internal Affairs and Communications.
Source: BleepingComputer
