KDDI Japan breach: Why shared email infrastructure is a hidden supply chain risk

On June 17, 2026, engineers at KDDI Corporation detected unauthorized access to an email system. By the time they blocked the attacker the same day, the damage was done: up to 14.2 million email addresses and passwords may have been exposed, belonging to customers across six Japanese internet service providers.

The six affected ISPs are STNet, KDDI Web Communications, JCOM, Chubu Telecommunications, Nifty, and BIGLOBE. None of them were directly breached. All of them were affected, because they shared a backend email infrastructure with KDDI.

What happened

KDDI confirmed that threat actors exploited a vulnerability in unnamed third-party software running on its shared email system. The company detected the intrusion on June 17 and blocked the attacker that day. It took until June 24 for affected ISPs to be notified, and until June 29 for public disclosure.

The scope covers current and former customers, as well as inactive accounts no longer in active use. The exposed data is email addresses and passwords. KDDI has notified Japan's Personal Information Protection Commission and the Ministry of Internal Affairs and Communications.

The attacker is not publicly identified. The third-party software is not named. The attack vector beyond 'vulnerability in third-party software' is not disclosed. This opacity is frustrating, but it is not unusual in breach disclosures.

The actual risk: shared infrastructure as a blast-radius multiplier

The breach mechanism is less interesting than its structure. Six organizations, each responsible to their own customers, each with their own security posture and incident response plans, were all exposed through a single shared system they did not individually control.

This is supply chain risk. It just shows up in the email infrastructure layer instead of the software dependency layer.

Most vendor risk programs ask whether a vendor is certified, whether they have a SOC 2 report, and whether they have completed the organization's security questionnaire. Far fewer programs ask the more useful question: does this vendor's infrastructure serve other customers, and what is our exposure if any of those other customers or the shared system itself is compromised?

The KDDI breach is not an outlier. It is the expected consequence of shared backend infrastructure without blast-radius containment.

What organizations should take from this

The first practical lesson is about credential rotation speed. KDDI detected the breach on June 17. Public disclosure came on June 29. Twelve days is a long time for 14.2 million credentials to circulate before affected users are told to change their passwords. If you manage email security for an enterprise, assume that credentials exposed in any ISP-level breach are in active use by threat actors before the breach is publicly disclosed. Credential stuffing campaigns against enterprise systems routinely use freshly leaked ISP credential sets.

The second lesson is about your ISP and hosting relationships. Most organizations have email delivered or relayed through a handful of providers, many of which run shared infrastructure across thousands of customers. Ask your email provider whether the systems handling your domain share infrastructure with other customers. If the answer is yes, ask what the incident notification timeline looks like in the event of a breach of that shared system.

The third lesson is about 2FA on email specifically. Email accounts protected only by a password are one credential theft away from account takeover. Push-based MFA and hardware keys are not perfect, but they significantly increase the cost of converting a stolen credential into a usable session. The affected ISPs are now advising customers to enable 2FA. That advice should have been the default configuration years ago.

What affected users should do right now

If you have an account with STNet, KDDI Web Communications, JCOM, Chubu Telecommunications, Nifty, or BIGLOBE, change your email password immediately. Do not reuse it elsewhere. Enable two-factor authentication if your provider supports it. If you used the same password on other services, change those as well. Credential stuffing works because password reuse is the norm, not the exception.

Gigia Tsiklauri is a Security Architect and founder of Infosec.ge. Get in touch if you are reviewing your vendor risk program or ISP infrastructure exposure.

credential-theftZero Trustvulnerability

Device code phishing went from espionage tool to criminal commodity in six months

Attacks abusing the OAuth 2.0 Device Authorization Grant to bypass MFA jumped 37x in the first half of 2026. What started as a Russian state-actor technique is now a commodity sold in 18 phishing kits. Here is how the attack works and what you need to do about it.

June 30, 2026

vulnerabilityCVEransomwarecredential-theft

Check Point VPN authentication bypass is fueling ransomware: what IKEv1 still running in production means for you

CVE-2026-50751 is a CVSS 9.3 authentication bypass in Check Point Security Gateway's deprecated IKEv1 implementation. An unauthenticated attacker can establish a full VPN session without credentials. Qilin ransomware affiliates are using it for initial access. CISA added it to the KEV catalog on June 8 with a three-day deadline. If IKEv1 is still enabled on your gateway, you are exposed right now.

June 29, 2026

vulnerabilityCVECritical InfrastructureZero Trust

Cisco SD-WAN has logged seven exploited zero-days in 2026: what that number actually means

Seven exploited zero-days in a single Cisco product line in less than six months. CVE-2026-20245 is the latest: an authenticated CLI privilege escalation that hands attackers root on SD-WAN management infrastructure, exploited months before anyone noticed. This is not a patch-and-move-on situation. It is a product security failure that demands a strategic response from network operators.