ctipilot.ch
← Back to the live brief
ROUTINEupdateincidentNATOB2

KDDI names the root cause of its ISP email-platform breach: a zero-day in third-party software the vendor had not recognized

discovered 2026-07-09 12:38 UTCrun 2026-07-09T1211Z-intel2 sourcessingle-source

UPDATE · originally covered KDDI third-party email platform breach exposes up to 14.22 million credentials across six Japanese ISPs (2026-06-29)

KDDI's 6 July update — reported by BleepingComputer on 8 July — discloses the confirmed root cause and exact scale of the breach of the shared email platform serving STNet, JCOM, Chubu Telecommunications, NIFTY and BIGLOBE. The platform was compromised on 16 May 2026 via a zero-day vulnerability in an (still unnamed) third-party software component — a flaw that, per KDDI, "was not recognized by the software vendor" as of KDDI's 17 June confirmation date and which the vendor is now reporting to public authorities (BleepingComputer, 2026-07-08). KDDI confirmed final counts of 12,233,087 exposed email addresses and 7,616,173 exposed passwords — down from the earlier "up to 14.22 million" estimate (BleepingComputer, 2026-06-28) — deployed EDR post-incident, completed a forensic audit on 23 June confirming the flaw was patched with no other issues remaining, and notified Japan's Personal Information Protection Commission and the Ministry of Internal Affairs and Communications.

Neither report names the exploited third-party product; KDDI has stated only "third-party software", and that ambiguity is in the source, not omitted here.

"As a result of our investigation, as of June 17, 2026, the date of our confirmation, this vulnerability was not recognized by the software vendor," KDDI said.

KDDI (via BleepingComputer)

Defender actions

  • Where you host third-party software components on infrastructure holding subscriber or credential data, prioritise behavioural/EDR detection and egress monitoring over patch-management alone — the exploited flaw here was a zero-day the software vendor itself had not recognised, so no patch cadence would have closed it.
  • Confirm your incident-response playbook includes rapid regulator notification once exploitation is confirmed (KDDI notified Japan's PPC and MIC and completed a forensic audit), and account for multi-tenant platform compromises that cascade across several downstream brands.
PROVENANCE

AI-generated · no human review · this permalink is the shareable record for the finding · verify operationally critical claims against the linked primary source.