Daily Security Intel

Archives
Log in
Subscribe
June 29, 2026

[SecurityIntel] 29 Jun | KDDI Email System Data Breach

SECURITYINTEL DAILY BRIEF

■ ThreatIntel Brief

Monday, June 29, 2026

INTEL CONFIDENCE  88%

THREAT LEVEL

CRITICAL

THREAT OF THE DAY

KDDI Email System Data Breach

CRITICAL

5

C2 IPs

48

OTX IOCs

3

ARTICLES

■ ANALYST TLDR

Threat actors breached KDDI Corporation's email system, exposing up to 14.2 million email logins across six Japanese ISPs. This critical data breach poses a significant risk for credential stuffing attacks and further account compromise for affected users. Security teams should also note the release of YARA-X versions 1.18.0 and 1.19.0, which bring detection improvements and bug fixes.

■ CRITICAL STORIES

CRITICAL#1

Data breach exposes up to 14.2 million email logins at six ISPs

This breach exposed sensitive login credentials for millions of users across multiple Japanese ISPs, posing a significant risk for credential stuffing and further account compromise. Immediate user action and system remediation are required.

INFO#2

YARA-X 1.18.0 and 1.19.0 Release

Updates to the YARA-X detection engine provide improved capabilities and bug fixes for security analysts, enhancing threat detection and rule development.

INFO#3

ISC Stormcast For Monday, June 29th, 2026

General daily security update from SANS, providing timely insights into current threats and vulnerabilities, though specific details are not provided in this summary.

■ CVEs IDENTIFIED

[CVE-TBD]

KDDI Corporation Email System — Data breach exposing 14.2 million email logins

Critical

■ THREAT ACTORS

Unspecified Threat Actors

Cybercriminal/State-sponsored (generic)

Gained unauthorized access to KDDI's email system and exfiltrated 14.2 million email logins.

■ ATT&CK TTPs

T1078
Valid Accounts | Threat actors likely used or gained valid accounts to access KDDI's email system.
T1530
Data from Local System | Collection of email logins from the compromised email system.
T1041
Exfiltration Over C2 Channel | Implied exfiltration of 14.2 million email logins from the compromised system.
T1589.002
Gather Victim Identity Information: Email Addresses | Collection of email addresses and associated logins during the breach.

■ PATCH PRIORITY

[P1 PATCH NOW]≤24h

KDDI Corporation Email System — Remediation of root cause for data breach and hardening against future unauthorized access — BC article

[P2 PATCH NOW]≤72h

YARA-X — Update to latest version for improved detection capabilities and bug fixes — SANS article

■ RECOMMENDED ACTIONS TODAY

1[P1] Advise users of KDDI Corporation and associated ISPs to immediately change their email passwords and enable multi-factor authentication where available, due to the exposed logins from the KDDI email system breach.
2[P1] Organizations operating similar email systems to KDDI Corporation's compromised platform should conduct immediate security audits, review access logs for suspicious activity, and enforce robust credential management policies.
3[P2] Security teams should update their YARA-X instances to versions 1.18.0 or 1.19.0 to leverage improved detection capabilities and bug fixes.
4[P3] Implement credential stuffing detection mechanisms and monitor for anomalous login attempts targeting all external-facing authentication systems.
LIVE IOC FEED

C2 IP BLOCKLIST  ·  AbuseCH Feodo  ·  Showing 5 of 5

IP ADDRESS

162.243.103.246

PORT

8080

STATUS

OFFLINE

MALWARE

Emotet

COUNTRY

US

IP ADDRESS

50.16.16.211

PORT

443

STATUS

ONLINE

MALWARE

QakBot

COUNTRY

US

IP ADDRESS

34.204.119.63

PORT

443

STATUS

OFFLINE

MALWARE

QakBot

COUNTRY

US

IP ADDRESS

178.62.3.223

PORT

443

STATUS

OFFLINE

MALWARE

QakBot

COUNTRY

GB

IP ADDRESS

27.133.154.218

PORT

443

STATUS

OFFLINE

MALWARE

QakBot

COUNTRY

JP

FULL IOC EXPORT — GOOGLE SHEET

All live IOCs with full SHA256 hashes (OTX), IPs, and domains. 2 tabs: C2 IPs · OTX IOCs
Updated daily · Export as CSV to import directly into your tools

■  Open Full IOC Sheet  →

IOC SOURCES: AbuseCH Feodo  ·  AlienVault OTX
NEWS: THN · KRB · SANS · REC · BC · SW · AWS · GCP · MSFT · U42 · SCH · MWB

Don't miss what's next. Subscribe to Daily Security Intel:
← Newer [SecurityIntel] 30 Jun | Active Exploitation of Enterprise Oracle and SimpleHelp Flaws Older → [SecurityIntel] 28 Jun | AI Agents Execute Hidden Malware
Powered by Buttondown, the easiest way to start and grow your newsletter.