
KDDI confirmed that a zero‑day flaw in its email infrastructure was exploited on 17 June, exposing the personal data of millions of Japanese internet users. The breach, disclosed in a statement published on its newsroom, affected email accounts linked to several ISPs that rely on KDDI’s shared mail platform. SecurityWeek noted that over 12 million individuals were impacted in its coverage, while other reports put the figure higher.
The attackers used an undisclosed vulnerability to bypass authentication and gain read‑only access to mail servers. According to KDDI’s advisory, the intrusion compromised the email addresses of approximately 12.2 million subscribers and the plain‑text passwords of 7.6 million accounts. Infosecurity Magazine highlighted that the incident reached six ISPs and exposed around 14.2 million email addresses in its report. No CVE identifier has been assigned to the flaw as of the disclosure date.
Exploitation appears to have been limited to data exfiltration; there is no evidence that the attackers modified mail content or used the access to launch further intrusions. KDDI said it detected the breach on the same day it began, ejected the threat actors from its systems and initiated a forced password reset for all affected accounts. The company is working with the impacted ISPs to verify that no residual footholds remain.
Although no specific threat actor has been linked to the incident, the use of a zero‑day suggests a well‑resourced group capable of discovering and weaponising previously unknown flaws. The breach underscores the systemic risk posed by shared services in the telecommunications sector, where a single component can cascade across multiple providers. Observers warn that similar supply‑chain dependencies may be targeted in future campaigns targeting critical infrastructure in the Asia‑Pacific region.
Defenders should treat the KDDI episode as a reminder to enforce strong credential hygiene across all third‑party connections. Organisations that rely on external email gateways must ensure multi‑factor authentication is enabled for administrative interfaces and that privileged accounts are protected with hardware‑based tokens. Regularly reviewing access logs for abnormal login patterns, especially from unfamiliar geographies or IP ranges, can help detect early signs of compromise.
Additionally, security teams ought to pressure vendors for rapid disclosure of vulnerabilities affecting shared infrastructure and to maintain an up‑to‑date inventory of all downstream services. When a zero‑day is suspected, isolating the affected segment, applying emergency patches or workaround configurations, and communicating transparently with users are essential steps to limit damage and restore trust. Proactive engagement with industry‑wide information sharing groups can also improve the collective ability to spot and thwart similar threats.