Top/Articles

Articles

KDDI: 14.22M Emails & Passwords Possibly Leaked at @nifty, BIGLOBE

KDDI's ISP email system was breached, possibly exposing up to 14.22M email addresses and passwords. @nifty, BIGLOBE and more affected. Here's what to do now.

2026.06.231 views

kitakyushu-kokuho-payment-slip-system-trouble-cover-en

Roundup

Kitakyushu's national health insurance slips go wrong for 44,000 homes

PrivacyJapanese CompaniesDevelopment

Kitakyushu City found defects in the national health insurance payment slips it mailed out. Another person's slip was enclosed in some envelopes, and the barcodes for the January-March installments carried someone else's data. About 44,000 households are affected. The cause: a vendor program flaw in the system swapped in May, plus an error in the new envelope-stuffing machine. We break down what happened, why it slipped through, and what recipients should do.

2026.06.175 views

awa-bank-test-environment-data-leak-cover-en

Roundup

Awa Bank's 27,745-record leak: what happened in a test environment left running

Japanese CompaniesPrivacySecurity

Awa Bank leaked a cumulative 27,745 records of customer and shareholder data. The cause was a test environment left running long after development ended, with real customer data never deleted, then accessed from outside. We break down what leaked, how it could be abused, and how it should have been prevented.

2026.06.173 views

major-hacker-ransomware-groups-directory-cover-en

Roundup

Hacker and Ransomware Groups Explained: Qilin, Anonymous, and Attacks on Japan

PrivacySecurityLawsuits & Regulation

A guide to the hacker and ransomware groups you see in the news—Qilin, Anonymous, North Korea's Lazarus and more—sorted into four types: ransomware, state-backed, social extortion and hacktivist. Where they came from, who's in them, which famous companies they hit, and what it means for ordinary life, including groups that struck Japan's Asahi, KADOKAWA and local governments.

2026.06.1510 views

asahi-ransomware-qilin-2025-2026-chronicle-profit-cut-cover-en

Roundup

Why Asahi Cut Its Profit: The Full Chain of a Ransomware Attack, From Breach to a 47.5 Billion Yen Hit

SecurityJapanese CompaniesPrivacy

In June 2026 Asahi Group cut its net-profit outlook from 167.5 billion to 120 billion yen, blaming the September 2025 ransomware attack. We trace the nine-month chain—breach via a VPN device, halted orders and shipping, 115,513 leaked records, the refusal to pay Qilin, and the 47.5-billion-yen hit—and explain what hole was breached and how the company responded.

2026.06.1518 views

naxclow-cheap-wifi-camera-doorbell-takeover-cve-2026-28742-cover-en

News

Cheap Wi-Fi Cameras and Doorbells Can Be Hijacked, No Fix Coming: CVE-2026-28742

SecurityMobilePrivacy

Cheap Wi-Fi cameras and doorbells sold on Temu and Amazon (Naxclow / V720, X3) have a flaw that lets a stranger hijack the camera with no login, and CISA has issued an advisory. Your Wi-Fi password leaks too, and there is no patch. Here is CVE-2026-28742 and what owners should do.

2026.06.138 views

aqara-smart-home-cloud-takeover-cve-2026-50083-50091-cover-en

News

Aqara Smart Locks and Cameras Could Be Hijacked: Cloud Flaws Including CVE-2026-50083

PrivacySecurityMobile

Researchers disclosed 10 vulnerabilities in Aqara's smart-home cloud, including CVE-2026-50083, that let an unauthenticated attacker operate smart locks and cameras. Here is the takeover chain and what owners should do.

2026.06.1337 views

tp-link-tapo-cve-2026-34126-bluetooth-cleartext-setup-cover-en

News

Tapo D100C, L535E and P300 Leak Setup Data Over Bluetooth (CVE-2026-34126) — Update Now

PrivacySecurity

TP-Link's Tapo smart-home devices — the D100C doorbell chime, L535E bulb, and P300 power strip — leak their initial-setup Bluetooth communication in cleartext, letting someone nearby intercept it or hijack the device (CVE-2026-34126). Fixed firmware is out; here is how to check and update affected models and what to do if already set up.

2026.06.0527 views

otrs-cve-2026-48188-sql-injection-auth-bypass-cover-en

News

CVE-2026-48188: OTRS Helpdesk Auth Bypass, No Login Needed (Fix 2026.4.X)

PrivacySecurity

CVE-2026-48188 (CVSS 9.1) lets attackers break into the OTRS helpdesk with no login via unauthenticated SQL injection, but only when MySQL/MariaDB runs in NO_BACKSLASH_ESCAPES mode. Fixed in OTRS 2026.4.X; the end-of-life Community Edition 6.0.x is most at risk.

2026.06.0126 views

casdoor-cve-2026-9090-9098-sso-auth-bypass-cover-en

News Updated 5 days ago

Casdoor SSO Auth Bypass (CVE-2026-9090 to 9098): No Patch Yet, Here Is How to Lock It Down Now

SecurityPrivacy

If your organization self-hosts Casdoor as its SSO login server, you are affected: CERT/CC disclosed nine authentication-bypass flaws (CVE-2026-9090 to 9098, VU#780781) in v2.362.0 and earlier that let an attacker log in as any user or admin. There is still no patch as of June 22, 2026, so the fix is operational: restrict the IdPs Casdoor accepts to trusted ones and audit your accounts now.

2026.06.0136 views

opencats-cve-2026-49489-sql-injection-cover-en

News

OpenCATS flaw exposes the entire candidate database (CVE-2026-49489)

SecurityPrivacy

OpenCATS (<=0.9.7.4) has SQL injection flaw CVE-2026-49489 (CVSS 8.5): any logged-in user can dump the candidate database. A public exploit exists; no fix yet.

2026.05.3119 views

joho-platform-law-five-platforms-cover-en

News

Japan's Joh-Pla Act: 5 Platforms on a 7-Day Deletion Clock

Global CompaniesPrivacyLawsuits & Regulation

Japan's Joh-Pla Act (in force since April 2025) makes Google, Meta, X, TikTok and LINE Yahoo decide on defamation-deletion requests within 7 days. Corporate fines reach 100M yen. A year in, what changed?

2026.05.1915 views