Japanese Telco KDDI Confirms Zero-Day Exploit in Third-Party Software Led to Breach of 12.2 Million Emails

Zero-Day Exploit in Third-Party Email System Hits 12 Million KDDI ISP Customers

CRITICAL
July 9, 2026
5m read
Data BreachVulnerabilitySupply Chain Attack

Impact Scope

People Affected

12.2 million

Industries Affected

Telecommunications

Geographic Impact

Japan (national)

Related Entities

Other

KDDI STNetJCOMChubu TelecommunicationsNIFTY CorporationBIGLOBE

Full Report

Executive Summary

Japanese telecommunications corporation KDDI has officially disclosed that a data breach affecting 12.2 million individuals was the result of a zero-day exploit in a third-party email platform. The attack compromised the email addresses of 12,233,087 users and the passwords of 7,616,173 users across five associated Internet Service Providers (ISPs). The attackers exploited the vulnerability starting on May 16, 2026, a full month before KDDI detected the unauthorized access on June 17. The company is now forcing password resets for all impacted accounts and has deployed enhanced security measures. This incident serves as a critical reminder of the pervasive risks in the software supply chain and the potential for catastrophic impact from a single, unknown vulnerability.

Vulnerability Details

The attack exploited a previously unknown zero-day vulnerability in a third-party email system developed by KDDI for its partner ISPs. While the specific CVE identifier and technical details of the flaw have not yet been publicly released, it was severe enough to allow unauthorized access to the platform's core database. The attackers leveraged this flaw for initial access and subsequent data exfiltration. The initial intrusion occurred on May 16, 2026, with the breach remaining undetected until June 17, 2026, giving the attackers a long dwell time within the compromised system.

Affected Systems

The breach specifically impacted a shared email platform used by five Japanese Internet Service Providers (ISPs) affiliated with KDDI:

  • STNet
  • JCOM
  • Chubu Telecommunications
  • NIFTY Corporation
  • BIGLOBE

The compromised data includes 12,233,087 email addresses and 7,616,173 user passwords. KDDI noted that some passwords were in hashed or encrypted form, but the lack of detail suggests that a significant portion may have been stored in plaintext or with weak hashing, making them vulnerable to cracking. KDDI's own branded mobile and internet email services were not affected as they operate on separate infrastructure.

Exploitation Status

The vulnerability was exploited as a zero-day, meaning the attackers used the flaw before a patch was available or the vendor was aware of it. The exploitation was active in the wild from at least May 16, 2026. After discovering the breach on June 17, KDDI blocked the attackers' access. The third-party software vendor is reportedly developing a patch and preparing for a formal disclosure of the vulnerability.

Impact Assessment

The compromise of 12.2 million email addresses and 7.6 million passwords creates a massive risk for the affected individuals. This data is highly likely to be used for large-scale phishing campaigns, credential stuffing attacks against other online services, and identity theft. The association of email addresses with specific ISPs also provides attackers with contextual information they can use to craft more convincing phishing lures. For the affected ISPs, the breach will result in significant reputational damage and costs associated with incident response, customer support, and potential regulatory fines. The incident underscores the critical importance of robust security vetting for all third-party software in an organization's supply chain.

Cyber Observables — Hunting Hints

As the specific vulnerability is not public, hunting must be generic. The following patterns may help identify exploitation of similar web application vulnerabilities:

Type
Log Source
Value
Web Application Firewall (WAF) Logs
Description
Monitor for unusual or malformed requests to email platform login pages or API endpoints that could indicate attempts to trigger a vulnerability.
Type
Log Source
Value
Database Audit Logs
Description
Look for an unusually high volume of read operations from a single source IP or user account, especially if it targets user credential tables.
Type
URL Pattern
Value
.../..%2f...
Description
Search web server logs for patterns indicative of path traversal attempts, a common vector for accessing unauthorized data.
Type
Process Name
Value
w3wp.exe (on Windows)
Description
Monitor for child processes spawned by the web server process that are unusual, such as cmd.exe or powershell.exe, which could indicate successful RCE.

Detection Methods

  • Supply Chain Monitoring: Organizations should maintain a comprehensive inventory of all third-party software and continuously monitor for new vulnerability disclosures related to those products. D3FEND's D3-SU: Software Update process should include monitoring vendor advisories.
  • Network Traffic Analysis: Use D3-NTA: Network Traffic Analysis to baseline normal traffic patterns to and from application servers. An alert on large, unexpected egress data transfers could be an early indicator of data exfiltration, as seen in this breach.
  • File Integrity Monitoring (FIM): Deploy FIM on critical web servers to detect unauthorized changes to application files or the dropping of web shells, a common post-exploitation step after exploiting a vulnerability like T1190 - Exploit Public-Facing Application.
  • Endpoint Detection and Response (EDR): KDDI deployed EDR after the breach was found. Proactive deployment on all servers, including those running third-party applications, is crucial for detecting post-exploitation activity.

Remediation Steps

  • Password Resets: KDDI and the affected ISPs have correctly initiated mandatory password resets for all impacted users. This is a critical first step to invalidate the stolen credentials.
  • Patch Management: Once the third-party vendor releases a patch for the zero-day vulnerability, it must be applied immediately to all affected systems. This is covered by D3FEND's D3-SU: Software Update.
  • Credential Security: All passwords stored in applications must be salted and hashed using a strong, modern algorithm like Argon2 or bcrypt. Plaintext or weakly hashed password storage is unacceptable.
  • Vendor Security Assessment: A thorough security review of the third-party email platform and its vendor should be conducted. This may lead to requiring architectural changes, further security audits, or migrating to a more secure platform. This falls under D3FEND's D3-ACH: Application Configuration Hardening.

Timeline of Events

1
May 16, 2026
Attackers begin exploiting the zero-day vulnerability to gain initial access.
2
June 17, 2026
KDDI discovers the unauthorized access and blocks the attackers.
3
June 23, 2026
A forensic audit is conducted, confirming the vulnerability was addressed.
4
July 6, 2026
KDDI provides an updated disclosure on the scale of the breach.
5
July 9, 2026
This article was published

MITRE ATT&CK Mitigations

Maintain a rigorous patch management program for all software, especially third-party applications, to minimize the window of opportunity for attackers.

Mapped D3FEND Techniques:

Enforce strong password policies and, more importantly, ensure passwords are never stored in plaintext or with weak hashing. Use modern, salted hashing algorithms.

Mapped D3FEND Techniques:

Isolate third-party systems from the core network to limit the blast radius in case of a compromise.

Mapped D3FEND Techniques:

Audit

M1047enterprise

Implement comprehensive logging and monitoring to detect anomalous access and data exfiltration attempts early.

Mapped D3FEND Techniques:

D3FEND Defensive Countermeasures

Implement Network Traffic Analysis (NTA) to monitor data flows to and from the third-party email platform. By establishing a baseline of normal traffic volume and patterns, security teams can create high-fidelity alerts for anomalies that may indicate a breach. In this KDDI incident, the attackers had a dwell time of one month. An NTA solution could have detected the large-scale exfiltration of 12.2 million user records as a significant spike in outbound traffic from the application's database servers to an external, non-corporate IP address. This would provide a critical, early warning sign of compromise, drastically reducing the attacker's dwell time and limiting the amount of data stolen. This technique is particularly valuable for detecting breaches resulting from zero-day exploits, as it focuses on post-exploitation behavior (data exfiltration) rather than the initial exploit itself.

Perform rigorous application configuration hardening on all third-party software before deployment. This includes a thorough review of how the application stores sensitive data. For the KDDI email platform, this process should have identified that user passwords were not being stored using modern, secure hashing algorithms (like Argon2 or bcrypt with a unique salt per user). A proper hardening process would mandate the remediation of this critical security flaw before the application goes live. Furthermore, hardening should involve disabling unnecessary features, restricting application permissions to the bare minimum (least privilege), and ensuring that all administrative interfaces are protected by MFA and are not exposed to the public internet. This proactive measure directly addresses the root cause of many data breaches by reducing the attack surface and ensuring that even if a vulnerability is exploited, the potential for catastrophic data loss is minimized.

Timeline of Events

1
May 16, 2026

Attackers begin exploiting the zero-day vulnerability to gain initial access.

2
June 17, 2026

KDDI discovers the unauthorized access and blocks the attackers.

3
June 23, 2026

A forensic audit is conducted, confirming the vulnerability was addressed.

4
July 6, 2026

KDDI provides an updated disclosure on the scale of the breach.

Sources & References

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)

Tags

Data BreachZero-DayKDDISupply Chain AttackTelecommunicationsJapan

📢 Share This Article

Help others stay informed about cybersecurity threats

🎯 MITRE ATT&CK Mapped

Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.

🧠 Enriched & Analyzed

Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.

🛡️ Actionable Guidance

Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.

🔗 STIX Visualizer

Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.

Sigma Generator

Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.