Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: third-party (4 articles)Clear

KDDI email breach affects up to 14.2 million accounts across six Japanese ISPs

Japanese telecom giant KDDI has disclosed a breach of an email platform it operates for itself and several internet service providers, potentially exposing the email addresses and passwords of up to 14.22 million mailboxes. KDDI detected the intrusion on June 17, blocked the attacker the same day, and traced the entry to a vulnerability in unnamed third-party software used by the email system. Six ISPs are affected, including JCOM, Nifty, and Biglobe, and the figure covers current, former, and inactive accounts. KDDI says some passwords were hashed or encrypted but has not said how many were stored in plaintext, and is urging all affected users to change their passwords.

Check
Customers of KDDI or the affected ISPs, including JCOM, Nifty, and Biglobe, should change their email passwords immediately and anywhere the same password was reused, and watch for phishing attempts.
Affected
Up to 14.22 million current, former, and inactive email accounts across six Japanese ISPs on KDDI's platform; exposed addresses and passwords enable account takeover, phishing, and credential stuffing where reused.
Fix
Affected users should change email passwords and any reused elsewhere, and enable multi-factor authentication. Organizations should inventory third-party software in shared platforms, patch promptly, and segment systems to limit breach scope.

Texas Parks and Wildlife vendor breach exposes 3 million license holders

The Texas Parks and Wildlife Department says a breach at the third-party vendor that runs its hunting and fishing license sales exposed personal data for 3,087,721 customers, in what officials call the state's largest government data breach this year. The exposed information includes driver's license details, passport numbers where provided, email addresses, phone numbers, and home addresses; the department says Social Security numbers, dates of birth, and financial data were not taken. Texas Cyber Command detected the intrusion, which reached customer profile data through the vendor's systems. Because driver's license and passport numbers cannot be reset, affected people face lasting identity-theft and phishing risk.

Check
Texas hunting and fishing license holders should enroll in the offered Kroll credit monitoring before September 14, watch for phishing referencing licenses or state agencies, and review financial statements for fraud.
Affected
The 3,087,721 Texas hunting and fishing license customers whose driver's license, passport, and contact details were exposed through the department's third-party license vendor; minors were reportedly not affected.
Fix
Place a credit freeze or fraud alert with the major credit bureaus, enroll in the free monitoring, and stay alert to identity fraud. Organizations should tighten third-party vendor access controls and monitoring.

Oncology Institute confirms patient data exposure via third-party breach; reports point to Cognizant-owned TriZetto (3.4M+ patients in original incident)

The Oncology Institute, a US outpatient cancer-care network, has filed an SEC 8-K confirming that patient information was exposed in a third-party vendor breach. Kroll, acting as the vendor's third-party administrator, notified the company on May 20 that unauthorized access had been detected. The vendor is not officially named, but multiple reports point to Cognizant-owned TriZetto Provider Solutions, which previously disclosed a breach in March 2026 affecting more than 3.4 million patients via its provider-portal infrastructure. The Oncology Institute first flagged the incident in a November 2025 8-K. The vendor has set up a patient portal for inquiries.

Check
If your organization uses TriZetto Provider Solutions or other Cognizant healthcare-data services, request a fresh breach assessment from your account team. Audit shared-data agreements for blast-radius.
Affected
Patients of The Oncology Institute and the wider TriZetto Provider Solutions ecosystem (3.4M+ patients in the original March 2026 disclosure). Healthcare providers using TriZetto for eligibility verification are exposed.
Fix
Notify affected patients per HIPAA. Tighten third-party risk reviews for healthcare-data processors. Implement strict data-handling SLAs in vendor contracts with breach notification deadlines.

Vimeo confirms user data was exposed via breach at analytics provider Anodot

Vimeo confirmed yesterday that user data was exposed when its analytics provider Anodot was breached. The video service hasn't said how many users are affected or what data was exposed beyond 'limited' account information, but Anodot's role suggests the leaked records include event-level user activity tied to Vimeo accounts: video views, account IDs, and the kind of telemetry analytics providers ingest. The pattern is the same as Citizens Bank, Frost Bank, Pitney Bowes, and now Vimeo: customer data leaks through a third-party vendor that the customer never directly signed up with.

Check
If you use Vimeo for any work-related video hosting, watch for Vimeo-themed phishing emails over the next few weeks referencing real account activity.
Affected
Vimeo users whose account data was processed by Anodot - a substantial subset given Anodot is a primary analytics provider. The risk is targeted phishing rather than account takeover: scammers who can reference real video views or account creation dates sound legitimate enough to bait credential resets. Organizations hosting marketing or training videos on Vimeo should expect staff targeting.
Fix
Treat any Vimeo email referencing your real account activity as potentially hostile - go to vimeo.com directly. Enable two-factor auth on Vimeo accounts, especially shared organizational ones. Review access logs for unfamiliar logins since April. For organizations: pull your vendor inventory and identify other analytics providers (Mixpanel, Heap, Amplitude) that hold customer data, and confirm breach notification SLAs.