12.2 million
Japanese telecommunications corporation KDDI has officially disclosed that a data breach affecting 12.2 million individuals was the result of a zero-day exploit in a third-party email platform. The attack compromised the email addresses of 12,233,087 users and the passwords of 7,616,173 users across five associated Internet Service Providers (ISPs). The attackers exploited the vulnerability starting on May 16, 2026, a full month before KDDI detected the unauthorized access on June 17. The company is now forcing password resets for all impacted accounts and has deployed enhanced security measures. This incident serves as a critical reminder of the pervasive risks in the software supply chain and the potential for catastrophic impact from a single, unknown vulnerability.
The attack exploited a previously unknown zero-day vulnerability in a third-party email system developed by KDDI for its partner ISPs. While the specific CVE identifier and technical details of the flaw have not yet been publicly released, it was severe enough to allow unauthorized access to the platform's core database. The attackers leveraged this flaw for initial access and subsequent data exfiltration. The initial intrusion occurred on May 16, 2026, with the breach remaining undetected until June 17, 2026, giving the attackers a long dwell time within the compromised system.
The breach specifically impacted a shared email platform used by five Japanese Internet Service Providers (ISPs) affiliated with KDDI:
The compromised data includes 12,233,087 email addresses and 7,616,173 user passwords. KDDI noted that some passwords were in hashed or encrypted form, but the lack of detail suggests that a significant portion may have been stored in plaintext or with weak hashing, making them vulnerable to cracking. KDDI's own branded mobile and internet email services were not affected as they operate on separate infrastructure.
The vulnerability was exploited as a zero-day, meaning the attackers used the flaw before a patch was available or the vendor was aware of it. The exploitation was active in the wild from at least May 16, 2026. After discovering the breach on June 17, KDDI blocked the attackers' access. The third-party software vendor is reportedly developing a patch and preparing for a formal disclosure of the vulnerability.
The compromise of 12.2 million email addresses and 7.6 million passwords creates a massive risk for the affected individuals. This data is highly likely to be used for large-scale phishing campaigns, credential stuffing attacks against other online services, and identity theft. The association of email addresses with specific ISPs also provides attackers with contextual information they can use to craft more convincing phishing lures. For the affected ISPs, the breach will result in significant reputational damage and costs associated with incident response, customer support, and potential regulatory fines. The incident underscores the critical importance of robust security vetting for all third-party software in an organization's supply chain.
As the specific vulnerability is not public, hunting must be generic. The following patterns may help identify exploitation of similar web application vulnerabilities:
.../..%2f...w3wp.exe (on Windows)cmd.exe or powershell.exe, which could indicate successful RCE.D3-SU: Software Update process should include monitoring vendor advisories.D3-NTA: Network Traffic Analysis to baseline normal traffic patterns to and from application servers. An alert on large, unexpected egress data transfers could be an early indicator of data exfiltration, as seen in this breach.T1190 - Exploit Public-Facing Application.D3-SU: Software Update.D3-ACH: Application Configuration Hardening.Maintain a rigorous patch management program for all software, especially third-party applications, to minimize the window of opportunity for attackers.
Mapped D3FEND Techniques:
Enforce strong password policies and, more importantly, ensure passwords are never stored in plaintext or with weak hashing. Use modern, salted hashing algorithms.
Mapped D3FEND Techniques:
Isolate third-party systems from the core network to limit the blast radius in case of a compromise.
Implement Network Traffic Analysis (NTA) to monitor data flows to and from the third-party email platform. By establishing a baseline of normal traffic volume and patterns, security teams can create high-fidelity alerts for anomalies that may indicate a breach. In this KDDI incident, the attackers had a dwell time of one month. An NTA solution could have detected the large-scale exfiltration of 12.2 million user records as a significant spike in outbound traffic from the application's database servers to an external, non-corporate IP address. This would provide a critical, early warning sign of compromise, drastically reducing the attacker's dwell time and limiting the amount of data stolen. This technique is particularly valuable for detecting breaches resulting from zero-day exploits, as it focuses on post-exploitation behavior (data exfiltration) rather than the initial exploit itself.
Perform rigorous application configuration hardening on all third-party software before deployment. This includes a thorough review of how the application stores sensitive data. For the KDDI email platform, this process should have identified that user passwords were not being stored using modern, secure hashing algorithms (like Argon2 or bcrypt with a unique salt per user). A proper hardening process would mandate the remediation of this critical security flaw before the application goes live. Furthermore, hardening should involve disabling unnecessary features, restricting application permissions to the bare minimum (least privilege), and ensuring that all administrative interfaces are protected by MFA and are not exposed to the public internet. This proactive measure directly addresses the root cause of many data breaches by reducing the attack surface and ensuring that even if a vulnerability is exploited, the potential for catastrophic data loss is minimized.
Attackers begin exploiting the zero-day vulnerability to gain initial access.
KDDI discovers the unauthorized access and blocks the attackers.
A forensic audit is conducted, confirming the vulnerability was addressed.
KDDI provides an updated disclosure on the scale of the breach.

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Help others stay informed about cybersecurity threats
Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.
Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.
Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.
Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.
Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.