Japanese telecommunications operator KDDI Corporation has disclosed a data breach that may have exposed email addresses and passwords for up to 14.2 million customer accounts across six internet service providers (ISPs).
The company discovered unauthorized access to a shared email system on June 17, blocked the attacker, and implemented additional defensive measures.
Key takeaways of the KDDI incident
- KDDI disclosed a breach that may have exposed the email addresses and passwords of up to 14.2 million accounts across six Japanese internet service providers.
- Attackers exploited a vulnerability in third-party software, highlighting the downstream risks of shared infrastructure and supplier dependencies.
- The exact impact remains under investigation, and KDDI has not disclosed how passwords were stored for all affected accounts, leaving the overall credential risk uncertain.
- Exposed email credentials can enable spearphishing, credential stuffing, and account takeover attacks, even if some passwords were hashed or encrypted.
Breach affects multiple Japanese ISPs
This incident impacted email services operated by KDDI as well as STNet, JCOM, Chubu Telecommunications, NIFTY, and BIGLOBE.
KDDI is one of Japan’s largest telecommunications companies, with approximately 45,000 employees. The company estimated that up to 14.2 million accounts may have been exposed, including current and former customers, as well as inactive accounts that may no longer be in use.
KDDI said the investigation remains ongoing, and the exact number of affected accounts has not yet been confirmed.
Because the impacted system supported multiple ISP operators, the breach illustrates how a shared-service or supplier-dependent infrastructure can increase downstream risk when a single system is compromised.
Must-read security coverage
- UK Police Convicts Pair in £5.5 Billion Bitcoin Launder Case
- Blackpoint Cyber vs. Arctic Wolf: Which MDR Solution is Right for You?
- How GitHub Is Securing the Software Supply Chain
- 8 Best Enterprise Password Managers
Password exposure risk remains unclear
KDDI said some passwords were stored in hashed or encrypted form, which may reduce the likelihood of immediate account takeover.
However, the company did not disclose the hashing or encryption methods used, whether salts were applied, or what percentage of accounts received stronger protection. Because password exposure risk depends heavily on how credentials are stored, weak hashing, reversible encryption, or plaintext storage could leave some users more vulnerable than others.
Even if some passwords cannot be immediately abused, exposed email addresses and login data can still create risks for spearphishing, credential stuffing, and account takeover attempts.
KDDI notifies regulators and affected providers
KDDI said it began contacting affected ISPs and reported the incident to Japan’s Personal Information Protection Commission and the Ministry of Internal Affairs and Communications. The company is also working with affected providers to implement additional security measures and reduce the risk to customers.
Impacted customers should reset their email passwords, enable two-factor authentication (2FA) where available, and use password managers. Organizations should monitor for unusual login activity, spikes in failed authentication attempts, suspicious forwarding rules, and phishing attempts targeting affected users.
The KDDI breach highlights how third-party software vulnerabilities can create large-scale exposure when they affect centralized infrastructure.
Editor’s note: This article originally appeared on our sister publication, eSecurityPlanet.