KDDI Corporation Email System Data Breach
Japanese telecommunications operator KDDI Corporation disclosed a data breach affecting an email system it provides to multiple internet service providers. Threat actors exploited a vulnerability in unnamed third-party software, potentially exposing up to 14.22 million email addresses and passwords of current, former, and inactive customers. The compromise was discovered on June 17, 2026, and technical defensive measures were immediately implemented. KDDI has reported the incident to Japanese privacy and telecommunications regulators.
Signal context
First seen: Jun 28, 2026
Last updated: Jun 29, 2026
Status: Public signal
Key points
- Up to 14.22 million email addresses and passwords potentially exposed.
- Breach originated from a vulnerability in third-party software used in KDDI's email system.
- Affected customers include those of KDDI and five other Japanese ISPs.
Signal analysis
BetaThis analysis groups the signal by industry, likely incident action and impacted security area. It helps compare this signal with other published signals without treating the labels as final determinations.
Sector: Information
Likely country: Location not provided
Watch internet-facing systems, credential abuse and exploit activity.
- Source type: outside the affected organization
Impact area: Confidentiality
Likely asset: User or customer data
- 33 signals in the same sector
- 95 signals with the same likely impact area
- 1 signal linked to this organization/domain
External sources
Data breach exposes up to 14.2 million email logins at six ISPs - Bleeping Computerhttps://www.bleepingcomputer.com/news/security/data-breach-exposes-up-to-142-million-email-logins-at-six-isps/Public source from bleepingcomputer.com.
KDDI Data Breach Impacts up to 14.2 Million Email Accounts at Six ISPs - Security Affairshttps://securityaffairs.com/194387/data-breach/kddi-data-breach-impacts-up-to-14-2-million-email-accounts-at-six-isps.htmlPublic source from securityaffairs.com.
KDDI Data Breach Impacts up to 14.2 Million Email Accounts at Six ISPs - Security Affairshttps://securityaffairs.co/wordpress/160628/data-breach/kddi-data-breach.htmlPublic source from securityaffairs.co.
Related signals
Grouped by why the signal is relevant.
STNet Email Accounts Impacted by KDDI Data Breach
STNet, an internet service provider, was impacted by a data breach disclosed by KDDI Corporation on June 28, 2026. The breach, stemming from a vulnerability in third-party software used by KDDI's email system, exposed up to 14.2 million email accounts across several Japanese ISPs, including STNet. Email addresses and passwords of STNet customers may have been compromised.
JCOM Email Accounts Impacted by KDDI Data Breach
JCOM, an internet service provider, was impacted by a data breach disclosed by KDDI Corporation on June 28, 2026. The breach, stemming from a vulnerability in third-party software used by KDDI's email system, exposed up to 14.2 million email accounts across several Japanese ISPs, including JCOM. Email addresses and passwords of its customers may have been compromised.
LastPass Customer Data Compromised via Third-Party Vendor Klue
LastPass confirmed a new data loss incident where customer data was accessed through a compromise of Klue, a third-party market intelligence platform used by LastPass's marketing and sales teams. Attackers gained access to OAuth tokens belonging to Klue clients, which were then used to access LastPass-related data in Salesforce. Exposed data includes names, phone numbers, email addresses, postal addresses, customer relationship information, commercial data, and support records. LastPass assures that user password vaults were not affected.
KDDI Web Communications Email Accounts Impacted by KDDI Data Breach
KDDI Web Communications, an internet service provider, was impacted by a data breach disclosed by KDDI Corporation on June 28, 2026. The breach, stemming from a vulnerability in third-party software used by KDDI's email system, exposed up to 14.2 million email accounts across several Japanese ISPs, including KDDI Web Communications. Email addresses and passwords of its customers may have been compromised.
Polymarket Suffers $3M+ Crypto Drain via Third-Party Vendor Compromise
Prediction market platform Polymarket disclosed a breach where hackers compromised a third-party vendor, injected malicious code into the website for some users, and drained approximately $3 million (updated reports around $3.1M) in pUSD (USDC-backed) from at least 11 user wallets. The funds were subsequently swapped and moved to Ethereum. The platform has contained the incident, promised full refunds to affected users, and is notifying victims. The incident was disclosed on June 28, 2026.
Chubu Telecommunications Email Accounts Impacted by KDDI Data Breach
Chubu Telecommunications, an internet service provider, was impacted by a data breach disclosed by KDDI Corporation on June 28, 2026. The breach, stemming from a vulnerability in third-party software used by KDDI's email system, exposed up to 14.2 million email accounts across several Japanese ISPs, including Chubu Telecommunications. Email addresses and passwords of its customers may have been compromised.