Industry - Data Breach
Executive Summary
Japanese telecommunications operator KDDI Corporation disclosed a data breach affecting up to 14.2 million email accounts across six ISPs, after attackers exploited a vulnerability in third-party software on June 17. The breach potentially exposed email addresses and passwords of current and former customers, though some passwords were stored in hashed or encrypted form. Affected customers are advised to reset their email passwords immediately and enable two-factor authentication where availa...
What Happened
On June 17, 2026, KDDI Corporation, one of Japan's largest telecommunications operators, discovered that attackers had exploited a vulnerability in unnamed third-party software to access an email system serving six internet service providers. The breach potentially exposed email addresses and passwords for up to 14.2 million current and former customer accounts across STNet, JCOM, Chubu Telecommunications, NIFTY Corporation, BIGLOBE, and KDDI itself. KDDI blocked the attackers on the same day, notified Japan's Personal Information Protection Commission and the Ministry of Internal Affairs and Communications, and began working with affected ISPs to implement additional security measures.
Who Is Affected
Up to 14.2 million email account holders in Japan are potentially affected, including current customers, former customers, and holders of inactive accounts across the six ISPs. The compromised data includes email addresses and passwords, though KDDI stated that some passwords were stored in hashed or encrypted form, which may reduce the risk for a portion of affected users. The company did not specify what percentage of passwords were stored in plaintext or the strength of the encryption used for protected passwords.
Why It Matters
This breach demonstrates how vulnerabilities in third-party software can create widespread exposure across multiple service providers that share infrastructure, amplifying the impact beyond a single company. The incident affects a significant portion of Japan's internet users and highlights ongoing risks in the telecommunications sector, where centralized email systems serve millions of accounts. The storage of some passwords in plaintext or weak encryption represents a failure to implement basic security standards that could enable immediate account takeovers and downstream attacks using exposed credentials.
What You Should Do
If you have an email account with KDDI, STNet, JCOM, Chubu Telecommunications, NIFTY Corporation, or BIGLOBE, reset your email password immediately using a strong, unique password that you do not use anywhere else. Enable two-factor authentication on your email account if the option is available to add an additional layer of protection. If you have reused your email password on other websites or services, change those passwords as well, since attackers may attempt to access multiple accounts using the stolen credentials.
Summary generated from verified sources and reviewed before publication. How we summarize.
Sources
- Data breach exposes up to 14.2 million email logins at six ISPs
- Data breach exposes up to 14.2 million email logins at six ISPs - BleepingComputer
- KDDI Data Breach Impacts up to 14.2 Million Email Accounts at Six ISPs - Security Affairs
- A KDDI data breach has put up to 14.2 million ISP email logins at risk across Japan
- AssuranceAmerica Managing General Agency, LLC Data Breach Alert: Edelson Lechtzin LLP Launches Investigation Into Exposure of Personal Information - PR Newswire