Connect with us

Infosecurity

12 million emails, 7.6 million passwords: KDDI breach is Japan’s biggest telco hack this year

Published

on

KDDI data breach

A quiet June disclosure turns into a massive data dump

When KDDI first acknowledged a security incident in June, the company gave few details. Now the numbers are out — and they are staggering. On Monday, one of Japan’s three largest telecom providers confirmed that a cyberattack on an email platform exposed more than 12.2 million customer email addresses and roughly 7.6 million passwords.

The breach hit an email system that five Japanese internet service providers (ISPs) use to manage customer accounts, webmail, and email storage. KDDI said the attackers exploited a vulnerability in third-party software powering that platform. The company patched the flaw and modified the system immediately after detecting the intrusion.

Investigators found no evidence the attackers moved beyond that single vulnerability. Still, the scale is hard to ignore: 12.2 million email addresses and 7.6 million passwords is one of the largest credential exposures in Japanese telecom history.

What was actually compromised?

The exposed data includes email addresses and passwords for customers of five unnamed ISPs that rely on KDDI’s backend email platform. The company stressed that its own consumer email services for mobile and fixed-line internet customers run on separate infrastructure and were not affected.

KDDI said many affected users have already changed their passwords. The ISPs involved are working to complete mandatory password resets in the coming days.

  • 12.2 million email addresses exposed
  • 7.6 million passwords leaked
  • Five Japanese ISPs affected
  • KDDI’s own consumer email services untouched

How the attackers got in

The entry point was a vulnerability in third-party software. KDDI did not name the vendor or the specific software, but the company said it patched the flaw as soon as it was discovered. The telco submitted a detailed report to Japan’s communications ministry earlier this week, which confirmed the full scope of the breach.

“We are analyzing the scope of the impact and the cause, responding to customers in coordination with ISP operators, and taking measures to prevent a recurrence,” KDDI said in a statement.

The company’s forensic investigation found no signs of lateral movement. That suggests the attack was contained to the email platform itself. Still, with millions of passwords in the open, the risk of credential stuffing and phishing attacks is real. Security experts recommend that affected users enable two-factor authentication wherever possible and avoid reusing passwords across services.

Japan’s rough summer of cyberattacks

The KDDI data breach is not an isolated event. Japanese companies have reported a string of cyber incidents in recent weeks. The Japanese unit of Aflac, electronics manufacturer Nidec, and brewer Sapporo Holdings have all disclosed breaches or cyber-related disruptions. There is no evidence these incidents are connected.

Separately, Tokyo police this week arrested a 15-year-old high school student on suspicion of exploiting a vulnerability in the servers of Bandai Channel, an anime streaming service. The teenager is accused of fraudulently canceling more than 46,000 user subscriptions. That case appears unrelated to the KDDI attack, but it underscores the breadth of threats facing Japanese digital infrastructure.

What KDDI customers should do now

If you use an email service provided by one of the five affected ISPs, assume your credentials were leaked. KDDI says password resets are underway, but users should not wait.

Take these steps immediately:

  • Change your email password right away — do not wait for the ISP to force a reset.
  • If you reused that password anywhere else, change it there too.
  • Enable two-factor authentication on your email account.
  • Watch for phishing emails that reference the breach. Attackers often use stolen email lists to send targeted scams.

KDDI is Japan’s second-largest mobile network operator and a major player in broadband, cloud computing, cybersecurity, and data center services. The company has not said whether it will offer credit monitoring or identity theft protection to affected users.

For a broader look at how telecom giants handle security incidents, check out our coverage of major telecom data breaches and best practices for password hygiene after a leak.

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Infosecurity

Britain plans autonomous AI ‘Cyber Shield’ to defend against machine-speed attacks

Published

on

Cyber Shield AI defense

A new kind of digital shield

Britain’s cyber watchdog wants to build a fully autonomous, AI-driven defense system called Cyber Shield to protect government networks and critical infrastructure from attacks that move faster than any human can react. The plan, announced Tuesday by the National Cyber Security Centre (NCSC), envisions a network of paired AI agents — some attacking, some defending — operating at machine speed across the country’s most sensitive digital assets.

“This is about building a national scale, sovereign defense capability,” the NCSC said in a blog post. The agency warned that adversaries already use AI to compress reconnaissance and vulnerability discovery from weeks into minutes. “This has the potential to overwhelm traditional defenses and increase the risk of advantage shifting towards the attacker.”

The timing is urgent. GCHQ, the U.K.’s signals intelligence agency, recently warned that both offensive and defensive cyber capabilities could be fundamentally transformed within months — not years. GCHQ director Anne Keast-Butler flagged the Cyber Shield concept in her annual lecture earlier this year, saying the agency would “hardwire” agentic AI into machine-speed cyber defense.

Why machine speed matters

Traditional cybersecurity relies on human analysts spotting threats, investigating them, and patching vulnerabilities. That workflow takes days or weeks. Attackers using AI can now find and exploit a weak point in minutes. The gap is widening fast.

The NCSC has separately warned of an AI-driven “patch wave” — a surge of newly discovered vulnerabilities emerging faster than most organizations can fix them. In that environment, waiting for a human to decide whether to block an IP address or patch a server is a losing strategy.

“Developing viable solutions that scale and execute at the pace we need in the modern era is the remit of the Cyber Shield,” the agency stated.

How Cyber Shield would work: red vs. blue AI agents

At the core of the plan is a paired model of “red” and “blue” AI agents. Red agents continuously probe networks for weaknesses — the same way a human penetration tester would, but far faster and at greater scale. Blue agents defend in real time, blocking attacks and patching vulnerabilities automatically.

These agents would operate across critical national infrastructure — energy grids, water systems, transport networks, hospitals — but under the control of the organizations that own them. The NCSC emphasized that the system is designed to be sovereign, meaning the U.K. retains full control over its operation and data.

The agency identified six core functions Cyber Shield must deliver:

  • Automated scanning of British networks (already exists in some form)
  • Continuous vulnerability discovery
  • Real-time threat prioritization
  • Autonomous blocking of attacks
  • Fully automated patching of vulnerabilities (does not yet exist)
  • Feedback loops that improve the system over time

Some of these functions, the NCSC acknowledged, “present challenges which will need significant progress in research to unlock.” Fully autonomous patching, in particular, remains a hard problem — you don’t want an AI accidentally breaking a hospital’s patient record system while trying to fix a bug.

Who builds it? Not the government alone

The NCSC made clear it cannot build Cyber Shield by itself. The agency issued an open invitation to academia, critical infrastructure operators, frontier AI labs, and the cyber defense sector to help develop the blueprint. “In association or partnership with leading frontier AI capabilities, cyber defense organizations and academia” is how the agency described the intended delivery model.

Initial testing would begin with network defenders across government and critical U.K. sectors. After that, the agency would attempt to transition to commercially scalable solutions — but attached no timeline to the program. The rollout strategy is described as “test, iterate, scale.”

Interested parties are invited to get in touch with the NCSC directly.

The bigger picture: a race against AI-powered attackers

The Cyber Shield announcement lands in a moment of heightened concern about AI-enabled cyberattacks. The NCSC has been warning for months that the defender’s window is closing. If an attacker can find and exploit a vulnerability in minutes, and a defender takes days to patch it, the math is brutal.

Keast-Butler’s earlier speech made the stakes explicit: the U.K. has a narrowing window to stay ahead of its adversaries. Cyber Shield is the government’s bet that autonomous AI defense can close that gap — or at least keep the race competitive.

Whether the technology can deliver remains an open question. Fully autonomous patching, in particular, is not yet a solved problem. But the NCSC’s approach — test small, iterate fast, scale what works — suggests a pragmatic recognition that perfection is the enemy of progress.

For now, the Cyber Shield exists as a blueprint and an invitation. The real work begins when the first AI agents start probing government networks, looking for weaknesses before the bad guys find them.

Continue Reading

Infosecurity

New GodDamn Ransomware Uses Microsoft-Signed Driver to Wipe Out Defenses Before Striking

Published

on

GodDamn ransomware

A Ransomware Strain That Kills Protections First

Most ransomware hits you with encryption and a ransom note. But a new variant called GodDamn does something far more insidious: it disables your security software before it even starts encrypting files. Researchers at Symantec say the attackers are using a malicious kernel driver — one that still carries a valid Microsoft Windows Hardware Compatibility Publisher signature — to terminate endpoint defenses from the inside.

GodDamn first surfaced in May 2026. According to Symantec’s analysis, it’s the latest chapter in a ransomware family that has been plaguing organizations since 2022. The lineage goes like this: Monster ransomware (2022) → Beast ransomware → GodDamn. All three belong to a group the researchers call Hyadina.

This isn’t just an incremental update. It’s a deliberate escalation.

How the Attack Unfolds

The attack chain starts with a remote desktop tool. Symantec’s July 9 blog post reveals that the attackers planted AnyDesk on the target machine, hiding it inside a folder named ‘Music’. From there, the tool made outbound connections to unknown IP addresses.

How did the attackers get in? The researchers aren’t sure yet. But account compromise — stolen credentials, brute force, phishing — is the usual entry point for ransomware operations.

Once inside, the attackers drop an executable disguised as a Symantec product. That executable installs PoisonX, a kernel-mode driver that terminates security processes. The driver is signed with a legitimate Microsoft Windows Hardware Compatibility Publisher signature. How the attackers obtained that signature is unclear. Symantec notes two common paths: using stolen corporate identities to sign the driver, or secretly exploiting legitimate third-party drivers.

Either way, the result is the same: the machine’s defenses go dark.

Credential Theft and Lateral Movement

With security software knocked out, the attackers deploy tools like NirSoft and Mimikatz. These are standard-issue utilities for stealing credentials, cookies, and live network traffic. The goal is to find administrator accounts and gain control over the broader network.

This phase is critical. Ransomware that only hits one machine is a nuisance. Ransomware that compromises domain controllers and encrypts entire networks is a crisis.

Finally, the Encryption

Once the attackers have enough control — over accounts, systems, and the network — they trigger GodDamn. Files are encrypted. A ransom note appears. By that point, the victim has no security software running to stop it, and the attacker already holds the keys to the kingdom.

Why This Matters: The Evolution of Defensive Evasion

What makes GodDamn notable isn’t the encryption. It’s the method. Using a signed malicious driver to kill security products is a relatively new tactic, and it’s effective.

“GodDamn’s use of the relatively newly discovered PoisonX malicious driver component represents an escalation in defensive evasion capability by this group,” the Symantec and Carbon Black threat hunter team said in their analysis. “Indicating that Hyadina is continuing to actively develop its ransomware and its capabilities.”

In other words, the Hyadina group isn’t resting. They’re iterating. And each iteration makes their attacks harder to stop.

For defenders, the lesson is clear: relying solely on endpoint detection isn’t enough anymore. Attackers are finding ways to turn those tools off. Organizations need layered defenses — network segmentation, strict application control, and monitoring for unusual driver installations — to catch this kind of attack before the ransomware fires.

Because once GodDamn runs, your security software is already dead.

Continue Reading

Infosecurity

Hacker Extradited from Ukraine Pleads Guilty in Ryuk Ransomware Case

Published

on

Ryuk ransomware extradited

Ryuk Conspirator Faces Years in Prison After Plea Deal

An Armenian man who was extradited from Ukraine has admitted his role in the Ryuk ransomware operation, one of the most damaging cybercrime campaigns of its era. Karen Serobovich Vardanyan, 34, pleaded guilty to conspiracy and computer fraud charges in a federal court in Portland, Oregon, on July 8.

The Justice Department says Vardanyan illegally broke into the networks of multiple US organizations between November 2019 and April 2020 to install Ryuk. Among the victims: a Michigan company that paid 200 bitcoin — worth over $1.1 million at the time — just to get its files back.

He also targeted a firm in Wilsonville, Oregon, and a school in Texas. The attacks weren’t random. They were surgical, hitting entities that could least afford downtime.

The Numbers Behind the Ryuk Takedown

Court documents paint a grim picture. Vardanyan and his co-conspirators hacked hundreds of servers and workstations. They collected roughly 1,610 bitcoin in ransom payments — valued at more than $15 million when the money changed hands.

As part of the plea agreement, Vardanyan has agreed to pay over $1.1 million in restitution. But that check won’t keep him out of prison. He faces a maximum of five years (plus a $250,000 fine) for conspiracy, and up to 10 years (plus another $250,000) for computer fraud. The sentencing judge will decide the final stretch.

Ryuk’s Reign: A Quick Look Back

Ryuk was a heavyweight in the ransomware world from 2018 to 2020. Its victims included US defense contractors, hospitals, and IT service providers. French giant Sopra Steria lost around $60 million in one of the costliest ransomware incidents of its time.

The group disbanded in 2020. Many of its members are believed to have joined the Conti gang — which quickly became a major threat itself. But Conti imploded two years later after a massive leak of internal chats and data.

Why Extradition Matters in Cybercrime

Perpetrators of ransomware often operate from former Soviet states, where authorities tend to look the other way as long as domestic companies aren’t hit. That’s made Ryuk ransomware extradited cases rare — and significant.

But US investigators are getting better at pulling suspects out of those jurisdictions. In March, an initial access broker involved in dozens of attacks that cost victims over $9 million was sentenced to 81 months in a US prison.

Vardanyan’s case shows the long arm of American law enforcement is reaching further east than ever. Whether that deters the next wave of ransomware crews remains an open question.

Continue Reading

Trending