Skip to content
feed: live
>_ 0dayNews
threat intel
● Breaking

KDDI Breach: 12M Emails, 7.6M Passwords via 3rd-Party 0day

KDDI says a May 16 zero-day in unnamed third-party software exposed 12,233,087 email addresses and 7,616,173 passwords across five Japanese ISPs.

KDDI Breach: 12M Emails, 7.6M Passwords via 3rd-Party 0day
Photo: Naritama (NARITA Masahiro) / Wikimedia Commons · CC BY 2.1 jp
airgap · Published · 2 min read

Breaking. Confidence: high on the counts KDDI itself published. Vendor, CVE, and threat actor: unnamed.

KDDI confirmed on July 6 that a zero-day in a third-party software product — unnamed, per KDDI — was exploited against an email platform shared by five Japanese ISPs on May 16, 2026. KDDI put figures on it. 12,233,087 email addresses. 7,616,173 passwords. Some hashed and/or encrypted; KDDI did not specify algorithms and did not split the counts.

Timeline

  • 2026-05-16 — attacker exploits the third-party zero-day. Access, per KDDI, is against the shared email platform.
  • 2026-06-17 — KDDI reports the vendor had not yet acknowledged the vulnerability. Confidence on that gap: high through that date, unknown after.
  • 2026-07-06 — KDDI issues an update with the exposure figures above and confirms zero-day exploitation.
  • 2026-07-08 — public reporting picks up. Vendor still unnamed in KDDI’s disclosure. No CVE issued in public sources. No threat-actor attribution.

Scope

Five ISPs used the affected email platform:

  • STNet
  • JCOM
  • Chubu Telecommunications
  • NIFTY Corporation
  • BIGLOBE

Up to 14.22 million current and former customers had accounts on that platform, per KDDI. Exposure is a subset: 12,233,087 email addresses and 7,616,173 passwords.

Payment card data, government IDs, and message contents are not reported in the exposed set. Absence in the notice is not the same as confirmed absence. Treat accordingly until KDDI expands the disclosure.

What we don’t have

  • The vendor. KDDI did not name the third-party product. That matters because any other operator running the same product is on the same clock, without knowing it.
  • The CVE. Zero-day, no vendor acknowledgment as of June 17. A public advisory may follow.
  • Password hashing detail. “Hashed and/or encrypted” is the full statement. Salted or not, modern KDF or legacy digest — unspecified. Assume the worst on any individual account until KDDI or the vendor clarifies.
  • The threat actor. No forum listing referenced in KDDI’s disclosure. No claim, no attribution.

Action

If you have an account on STNet, JCOM, Chubu Telecommunications, NIFTY, or BIGLOBE — including one you stopped using — rotate the password there, and rotate anywhere that password was reused. Assume the password is in the exposed set until KDDI tells you otherwise. Turn on second-factor auth if the ISP offers it.

If you run a shared mail platform behind any managed-service ISP relationship, hunt for anomalous authentication traffic on and after May 16, 2026. The zero-day is unnamed but the attack window is not.

Watch for the vendor name. When it drops, a patch clock starts for everyone else running the same product.

Sourcing

Found this useful? Share it.