This week’s cybersecurity and dark web news stories discuss the Data breach exposing up to 14.2m email logins, Google’s disruption of malicious proxy networks, and VoidStealer update.
14.2 Million Email Logins Exposed in KDDI Breach Spanning Six ISPs
Japan’s second-largest telecommunications operator, KDDI Corporation, disclosed on June 28 that threat actors had exploited a vulnerability in an unnamed third-party software product to gain unauthorised access to an email system shared by five other internet service providers across the country.
The breach, discovered on June 17, may have exposed the email addresses and passwords of up to 14.2 million customers, a figure spanning current and former subscribers, and inactive accounts, across STNet, JCOM, Chubu Telecommunications, NIFTY Corporation, and BIGLOBE. KDDI moved immediately to block the attacker and has since notified Japan’s Personal Information Protection Commission and the Ministry of Internal Affairs and Communications.
The key unknown is how many of those passwords were stored in plaintext. KDDI confirmed that some were hashed or encrypted — reducing the risk of direct account hijacks, but declined to specify the proportion or the encryption methods used. Until that is clarified, the safest assumption for any current or former subscriber to any of the five affected ISPs is that their credentials are in attacker hands. Password resets and, where available, two-factor authentication setup should be treated as urgent.
The incident follows a pattern that keeps reasserting itself: the vulnerability wasn’t in KDDI’s own code. It was in a third-party component sitting at the heart of infrastructure serving millions of people. Supply chain and software dependency risk continues to be where these large-scale exposures originate.
Google Takes Down NetNut Residential Proxy Network
On July 2, Google’s Threat Intelligence Group, working alongside the FBI and network intelligence firm Lumen, dismantled the NetNut residential proxy network, also tracked as Popa, in the second major proxy botnet disruption this year, following the takedown of the IPIDEA network in January 2026.
Residential proxy networks are the anonymisation layer serious threat actors rely on. By enrolling millions of consumer devices, smart TVs, streaming boxes, home routers, into a hidden botnet, operators can sell access to those devices’ IP addresses to cybercriminals who want to make their traffic appear to originate from ordinary home users. The result is that attacker activity blends into legitimate internet traffic, making it far harder to detect or block. Google estimated the NetNut network included at least two million devices distributed globally, and in a single week during June 2026 observed 316 distinct threat clusters, cybercriminal and nation-state espionage groups alike, routing activity through NetNut exit nodes.
Google’s response was three-pronged: disabling all Google accounts and services NetNut used for malware command-and-control; sharing technical intelligence on NetNut’s SDKs and infrastructure with platform providers, law enforcement, and research firms; and using Google Play Protect to automatically warn users about and disable Android applications known to incorporate NetNut’s SDK. The result, Google says, was a reduction in the available device pool by millions.
One sobering detail in the disclosure: many popular residential proxy brands turn out to be resellers of the NetNut botnet under white-label agreements, meaning the ripple effect of the takedown likely extends well beyond the NetNut brand itself. Google also noted that when their own botnet degrades, proxy operators typically respond by buying capacity from competitors, a sign that sustained, coordinated pressure across multiple providers is the only approach likely to produce lasting results. That work is ongoing.
Consumers can help. Any app that offers payment for “sharing unused bandwidth” is almost certainly enrolling your device in a network like this. Stick to official app stores and keep Google Play Protect active.
VoidStealer Version 3: Chrome’s Encryption Bypass Gets a Decentralised Upgrade
VoidStealer, the information-stealing malware that made waves earlier in 2026 for its novel method of bypassing Google Chrome’s App-Bound Encryption, has released a significant update. On July 4, an announcement on a Russian-language hacking forum confirmed the release of Version 3, a self-hosted variant, reportedly rewritten largely from scratch, with access to the stealer’s infrastructure no longer dependent on the developer’s own servers.
To understand why that matters, some background is useful. Chrome’s App-Bound Encryption (ABE), introduced in July 2024, was designed to protect browser-stored credentials, session cookies, and autofill data by tying the decryption key to Chrome itself via a privileged system service. Previous bypass methods required either admin privileges or code injection into Chrome, both of which are noisy and detectable. VoidStealer’s approach, first documented by researchers at Gen in early 2026, is different: it targets the brief window when Chrome’s master key sits in memory in plaintext, reading it before the data is ever encrypted. No privilege escalation, no code injection, no administrator rights needed. Kaspersky described the technique as highly effective against current browser defences and compatible with all Chromium-based browsers including Edge, Opera, Brave, and Vivaldi.
Version 3 adds operational decentralisation to that technical capability. By enabling customers to deploy and manage their own command-and-control infrastructure rather than routing exfiltrated data through developer-controlled servers, VoidStealer becomes significantly harder for law enforcement to disrupt. Seizing one central server no longer takes the service offline. The tradeoff is a reduced feature set in this self-hosted variant compared to the main $250-per-month MaaS offering, but for buyers who prioritise operational security over convenience, it is an attractive option.
The update reflects broader trends in the infostealer market. The category is crowded, LummaC2, StealC, Meduza, and others compete for the same affiliate base, and developers increasingly differentiate on resilience and evasion capability rather than raw functionality. VoidStealer’s architecture is maturing in exactly that direction.
For defenders, the key detection signals are behavioural rather than signature-based: unexpected debugger attachments to browser processes, unusual use of memory-reading APIs, and anomalous Chrome process spawning. Storing credentials in the browser remains a significant risk regardless of Chrome version, and hardware security keys or passkeys, which cannot be exfiltrated by any known stealer technique, remain the most robust defence against this class of threat.