KDDI disclosed that a cyberattack against an email platform it operates for five Japanese internet service providers exposed more than 12.2 million customer email addresses and 7.6 million passwords. The compromised system supported customer account management, webmail, and email storage, and the company said the intrusion was enabled by a vulnerability in third-party software used by the platform. KDDI initially reported the unauthorized access in June and later confirmed the scale of the breach after a forensic investigation and notification to Japan’s communications ministry.
The company said it patched the flaw and modified the affected system immediately after detecting the attack, adding that investigators found no evidence of compromise beyond exploitation of the vulnerable software. KDDI also said its own consumer email services for mobile and fixed-line internet customers run on separate infrastructure and were not affected. The incident has prompted affected ISPs to coordinate mandatory password resets for impacted users and underscored the risk that a single flaw in shared third-party software can cascade across multiple providers.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
4 events from the most recent confirmed update back to the earliest known activity.
After completing a forensic investigation and reporting to Japan's communications ministry, KDDI said the cyberattack exposed more than 12.2 million customer email addresses and 7.6 million passwords across five Japanese ISPs. The affected providers began coordinating mandatory password resets for impacted users.
After detecting the intrusion, KDDI said it immediately patched the exploited vulnerability and modified the affected system. Investigators found no evidence of compromise beyond exploitation of that flaw.
KDDI confirmed the incident on 2026-06-17, disclosing unauthorized access to an email platform it operates for multiple Japanese internet service providers. The company said the intrusion was enabled by a vulnerability in third-party software used by the platform.
KDDI said attackers initially breached the email platform on 2026-05-16 by exploiting a zero-day vulnerability in third-party software used by the service. The platform supported five Japanese ISPs affected by the later breach disclosure.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
4 references tracked. Mallory keeps watching after this page renders.
securityweek.com
Open sourcebleepingcomputer.com
Open sourcetherecord.media
Open sourcesecuritymagazine.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.