Japanese telecommunications company KDDI says a cyberattack has resulted in exposure of about 12 million emails. Multiple reports state that attackers exploit a zero-day vulnerability in a third-party system connected to KDDI’s email infrastructure used by its internet service providers (ISPs). Through that access path, the threat actor is reported to have obtained email content associated with affected accounts.
Both outlets describe the breach as involving third-party software rather than a direct compromise of KDDI’s email system. TechRadar further notes that additional KDDI clients are also affected, reporting that five KDDI clients were impacted alongside the larger set of exposed emails.
The reports do not indicate, in the provided excerpts, the full scope of the data accessed beyond emails, the specific third-party product or vendor, or the duration of the intrusion. KDDI’s disclosure focuses on the number of emails exposed and the mechanism used by the attacker, including the zero-day flaw in the external system.