general · BleepingComputer
Japanese telecommunications giant KDDI disclosed a data breach affecting over 12 million people after attackers exploited a zero-day vulnerability in third-party software used by five ISPs (STNet, JCOM, Chubu Telecommunications C, NIFTY Corporation, and BIGLOBE). The breach, discovered on June 17, 2026, exposed email addresses for approximately 12.2 million individuals and passwords for roughly 7.6 million others. KDDI stated that some passwords were stored in hashed or encrypted form, though the company did not specify how many were in plaintext or detail the encryption methods used. The attackers gained initial access on May 16, and the vulnerability was not publicly known at the time of discovery.
For Omniware's buyers in regulated industries, this incident underscores the risk of third-party software vulnerabilities in identity and access management systems. Defense contractors and healthcare providers relying on telecommunications infrastructure for operational continuity should evaluate their supply chain security posture and ensure incident-response protocols address third-party compromises. SaaS platforms handling customer credentials must assess password storage practices—particularly plaintext versus hashed/encrypted approaches—to align with SOC2 Type II requirements around data protection and change management. An Omniware engagement can scope inventory of third-party software, vulnerability assessment procedures, and incident-response readiness across your environment.
Source: BleepingComputer - https://www.bleepingcomputer.com/news/security/japanese-telecom-giant-kddi-says-data-breach-affects-12-million-people/
Source: BleepingComputer
All briefings