KDDI Confirms Zero-Day Exploit Behind Breach Affecting 12 Million People

Related

Aflac Japan Data Breach Impacts 4.38 Million Customers and Agents

What happened Aflac Life Insurance Japan disclosed a data breach...

Nissan Discloses Employee Data Breach Linked to Oracle Zero-Day Attacks

What happened Nissan disclosed a data breach affecting current and...

KDDI Breach Exposes Up to 14.2 Million Email Logins at Six ISPs

What happened Japanese telecommunications operator KDDI disclosed a data breach...

Xsolis Data Breach Affects 1.4 Million Individuals

What happened Healthcare technology company Xsolis disclosed a data breach...

Canadian Electricity Provider London Hydro Discloses Data Breach

What happened London Hydro disclosed a data security incident that...

Share

What happened

KDDI has updated its earlier breach disclosure, confirming that more than 12.2 million email addresses and 7.6 million passwords were exposed after attackers exploited a zero-day vulnerability in a third-party email platform used by five Japanese ISPs. The incident affected email services tied to STNet, JCOM, Chubu Telecommunications, NIFTY Corporation, and BIGLOBE.

The breach was first discovered on June 17, when KDDI blocked the attackers’ access and began implementing defensive measures. In its July 6 update, the company said the attackers had breached the platform on May 16 by exploiting a vulnerability that was not yet recognized by the software vendor at the time of KDDI’s confirmation. The vendor has since reported the vulnerability to public authorities and is working toward disclosure.

The exposed data includes email addresses belonging to 12,233,087 people and passwords belonging to 7,616,173 others. KDDI said some passwords were stored in hashed or encrypted form, which may reduce immediate account takeover risk, but it did not specify how many passwords were protected this way, whether any were stored in plaintext, or what encryption method was used.

KDDI is now working with the affected ISPs to force password changes for impacted email accounts, especially for customers who do not regularly use the affected services. The company also deployed endpoint detection and response software after the attack and said a forensic audit on June 23 confirmed that the exploited vulnerability had been addressed and that no other security issues were found in the affected systems.

Who is affected

Current and former customers of the affected ISP email services are directly affected, including users of STNet, JCOM, Chubu Telecommunications, NIFTY Corporation, and BIGLOBE services.

Inactive email accounts may also be affected, which increases risk because dormant accounts are less likely to be monitored, reset quickly, or protected with newer authentication controls.

Organizations are indirectly affected if employees reused exposed ISP email passwords for work accounts, SaaS tools, VPNs, cloud services, or other personal accounts tied to business workflows.

Why CISOs should care

This update adds an important detail beyond the breach count: the attack involved exploitation of a previously unrecognized third-party software vulnerability. That makes the incident a supply-chain and attack-surface issue, not just a customer-data exposure story.

For CISOs, the key lesson is that externally managed or third-party email platforms can become high-value targets because they hold credentials at scale. Even if the affected service is not a core enterprise system, exposed email credentials can fuel account takeover, phishing, password reuse attacks, and credential stuffing.

The password storage uncertainty also matters. KDDI said some passwords were hashed or encrypted, but without clarity on the percentage, algorithm, or whether any were plaintext, defenders should treat the exposed credentials as potentially usable by attackers.

The dormant-account angle is also important. Inactive accounts often have weaker monitoring and slower password rotation, but attackers can still use them for phishing, recovery flows, or credential reuse attempts across other services.

3 practical actions

  1. Force password resets and block reuse: Affected users should reset ISP email passwords immediately and change any other accounts where the same or similar password was reused.
  2. Monitor for credential stuffing and phishing: Security teams should watch for login attempts using exposed email addresses, especially against VPNs, SaaS platforms, cloud accounts, and customer portals.
  3. Review third-party software exposure: CISOs should identify internet-facing third-party platforms that store credentials or customer data, confirm vulnerability management ownership, and require clear incident notification and patching processes from vendors.

Today in cybersecurity:

IMG 0514 2
+ posts

John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.