KDDI Web Communications Affected by KDDI Data Breach, Email Logins Exposed
KDDI Web Communications, an internet service provider using KDDI Corporation's email infrastructure, was impacted by a data breach. The incident, disclosed by KDDI on June 28, 2026, led to the potential exposure of email addresses and passwords for up to 14.2 million customers across all affected ISPs, due to a vulnerability in third-party software.
Signal context
First seen: Jun 28, 2026
Last updated: Jun 28, 2026
Status: Public signal
Key points
- Impacted as a user of KDDI's compromised email system.
- Email addresses and passwords of customers potentially exposed.
- Disclosure date: June 28, 2026.
Signal analysis
BetaThis analysis groups the signal by industry, likely incident action and impacted security area. It helps compare this signal with other published signals without treating the labels as final determinations.
Sector: Information
Likely country: Location not provided
Watch internet-facing systems, credential abuse and exploit activity.
- Source type: outside the affected organization
Impact area: Confidentiality
Likely asset: User or customer data
- 32 signals in the same sector
- 95 signals with the same likely impact area
- 1 signal linked to this organization/domain
External sources
KDDI Data Breach Impacts up to 14.2 Million Email Accounts at Six ISPs - Security Affairshttps://securityaffairs.com/194387/data-breach/kddi-data-breach-impacts-up-to-14-2-million-email-accounts-at-six-isps.htmlPublic source from securityaffairs.com.
Data breach exposes up to 14.2 million email logins at six ISPs - Bleeping Computerhttps://www.bleepingcomputer.com/news/security/data-breach-exposes-up-to-142-million-email-logins-at-six-isps/Public source from bleepingcomputer.com.
KDDI Data Breach Impacts up to 14.2 Million Email Accounts at Six ISPs - Security Affairshttps://securityaffairs.co/wordpress/160628/data-breach/kddi-data-breach.htmlPublic source from securityaffairs.co.
Related signals
Grouped by why the signal is relevant.
KDDI Corporation Data Breach Exposes up to 14.2 Million Email Logins Across Six ISPs
Japanese telecommunications operator KDDI Corporation disclosed a data breach where threat actors gained access to one of its email systems, potentially exposing email addresses and passwords of up to 14.2 million current and former customers. The compromise, discovered on June 17, 2026, was attributed to a vulnerability in third-party software used by KDDI's email system. The incident also impacted five other internet service providers (ISPs) that utilize KDDI's email services.
STNet Affected by KDDI Data Breach, Email Logins Exposed
STNet, one of the internet service providers utilizing KDDI Corporation's email systems, was impacted by a data breach that exposed up to 14.2 million email accounts. The breach, disclosed by KDDI on June 28, 2026, stemmed from a vulnerability in third-party software used by KDDI, leading to the potential exposure of email addresses and passwords for STNet customers.
LastPass Customer Data Compromised via Third-Party Vendor Klue
LastPass confirmed a new data loss incident where customer data was accessed through a compromise of Klue, a third-party market intelligence platform used by LastPass's marketing and sales teams. Attackers gained access to OAuth tokens belonging to Klue clients, which were then used to access LastPass-related data in Salesforce. Exposed data includes names, phone numbers, email addresses, postal addresses, customer relationship information, commercial data, and support records. LastPass assures that user password vaults were not affected.
JCOM Affected by KDDI Data Breach, Email Logins Exposed
JCOM, an internet service provider, was affected by the data breach at KDDI Corporation, which was disclosed on June 28, 2026. The breach, caused by a vulnerability in third-party software, led to unauthorized access to KDDI's email systems and the potential exposure of email addresses and passwords for up to 14.2 million customers across the affected ISPs, including JCOM.
Ukrposhta Hit by Cyberattack, Mobile App and IT Systems Disrupted
Ukraine's state-owned postal operator, Ukrposhta, reported temporary disruptions to its mobile application and IT systems following an overnight 'hostile cyberattack' on June 25, 2026. The incident was widely reported on June 26, 2026. A pro-Russian activist group, 'IT army of Russia,' claimed responsibility for the attack, alleging they had breached Ukrposhta's infrastructure weeks earlier and exfiltrated a database containing user information and other internal data.
AgelessRx Data Breach Exposes Patient Health Information
AgelessRx, a telehealth platform specializing in longevity and anti-aging treatments, disclosed a data breach. An unauthorized actor gained access to certain help-desk tickets within the company's system between April 17 and April 22, 2026. The breach exposed sensitive patient health information, including names, dates of birth, health diagnoses or conditions, medications, and prescription details. The incident was reported to attorneys general on June 24, 2026, and notification letters to affected individuals began on June 23, 2026.