KDDI Data Breach Hits 14 Million Email Accounts Across 6 ISPs – Veri Sızıntısı
Live
Search
Company
About Founder's Note Press & Media Privacy Policy Terms of Service FAQ Brand Kit Comparison Table
Products
HUBOne HUBCorp Coming Soon Veri Sızıntısı Android Coming Soon Veri Sızıntısı iOS Coming Soon Veri Sızıntısı Huawei Coming Soon Breach Radar Argus Flow Argus Engine LivePlatform Integration Area
Technologies
What is Argus AI? Try on HUBOne What is Argus Flow? What is Argus Engine?
Blog Contact

KDDI Data Breach Hits 14 Million Email Accounts Across 6 ISPs

Japanese telecom giant KDDI announced that up to 14.2 million email accounts at six internet service providers have been exposed due to a vulnerability in third-party software. There are concerns that attackers may have obtained email addresses and encrypted passwords.

A lock and digital data streams in front of the logo of the Japanese telecommunications giant KDDI.

What Happened

KDDI Corporation, one of Japan's largest telecommunications companies, has been shaken by a large-scale data breach affecting six internet service providers (ISPs). According to an official statement from the company, attackers may have gained access to information from up to 14.2 million email accounts. The incident occurred when a critical vulnerability in third-party software, used by the email system KDDI provides to ISPs, was exploited.

As a cornerstone of Japan's technology and communication infrastructure with an annual revenue of approximately $40 billion and over 60,000 employees, KDDI reported detecting the cyberattack on June 17, 2026. The company stated that it blocked the attackers' access as soon as the unauthorized activity was discovered and immediately launched a comprehensive investigation. This breach not only affects active users but also former and inactive accounts, once again highlighting the broad scope of data security. The incident has also been reported to Japan's privacy and telecommunications regulatory authorities.

What Data Was Exposed

According to KDDI's announcement, the data that cyberattackers may have obtained is highly sensitive. The primary types of data affected by the breach are:

  • Email Addresses: The email addresses of up to 14.2 million users may have been exposed. This poses a significant risk for users, making them targets for phishing attacks and spam campaigns.
  • Passwords: The company stated that passwords were stored in a "hashed" or encrypted form within the system. While this is a layer of security, it may not provide complete protection. A warning was issued that attackers have obtained this encrypted data and may attempt to decrypt it. If weak or common passwords were used, the likelihood of these passwords being cracked and accounts being compromised increases.

The combination of these two pieces of information being leaked creates a valuable asset for cybercriminals. One of the biggest threats is "credential stuffing" attacks. Attackers use the email and password combinations obtained from this breach and automatically test them on other popular platforms (social media, e-commerce sites, banking applications, etc.) where users might have reused the same credentials. This method can cause the impact of a single breach to spread to many other services.

How Did the Attack Happen

KDDI confirmed that the root cause of the attack was a security vulnerability in third-party software used in their email systems. This situation highlights a vulnerability known in modern cybersecurity as a "supply chain attack." No matter how well a company protects its own systems, a flaw in the software of a vendor or partner it relies on can put the entire ecosystem at risk.

The company stated that on June 17, they identified the suspected location of the unauthorized access and implemented technical defense measures to prevent further leakage. However, specific details about the vulnerability (such as a CVE number) or the techniques used by the attackers have not yet been shared. In such investigations, it often takes time for all details to be made public, and companies typically release a full report after all security patches have been applied. The identity of the third-party software also remains undisclosed at this time.

Who Is Affected

The data breach did not directly affect users of KDDI-branded services but rather the six internet service providers that use KDDI's infrastructure to offer email services to their customers. These ISPs and their customers are the primary victims of the breach. The affected companies are:

  • STNet
  • KDDI Web Communications
  • JCOM
  • Chubu Telecommunications
  • Nifty
  • BIGLOBE

If you receive or have previously received email services from one of these six companies, your account is likely at risk. The fact that the breach also includes former and inactive accounts means that even users who believe they closed their accounts with one of these services years ago may have had their information compromised.

What You Can Do

If you are a customer of one of the ISPs listed above, you need to take immediate action to protect your data and minimize potential risks. Here are the steps you should take:

  1. Change Your Email Password Immediately: This is the most urgent and important step you must take. To prevent unauthorized access to your account, change your current password to a new, strong one right away.
  2. Create a Strong and Unique Password: Ensure your new password is at least 12 characters long and includes a mix of uppercase letters, lowercase letters, numbers, and special characters. Most importantly, do not use this password for any of your other online accounts.
  3. Review Your Other Accounts: If you used the same password for your compromised email account on other platforms (social media, banking, shopping sites, etc.), change the passwords for those accounts immediately as well. This will protect you against "credential stuffing" attacks.
  4. Be Wary of Phishing Attacks: Attackers now have your email address. They may try to steal more personal information (credit card numbers, national ID details, etc.) by sending you fake emails. Be cautious of emails that seem suspicious, create a sense of urgency, or ask for personal information. Carefully check the sender's address before clicking on any links in emails.

What the Company Is Saying

KDDI stated that it is attempting to manage the incident transparently. The company's official data breach notification included the following statement: "On June 17, 2026, we confirmed that some information from email services provided by various ISP operators (hereinafter referred to as 'the email service') may have been leaked to an external party in the email system (hereinafter referred to as 'the System') that we provide to Internet Service Providers (hereinafter referred to as 'ISP operators')."

The statement continued, "On the same day, we modified the System to prevent further damage. We have identified the suspected location of the Unauthorized Access and implemented technical defense measures." KDDI emphasized that they are working with the affected ISP operators on countermeasures and taking appropriate steps to inform customers and encourage password changes. The company issued the following warning to its users: "To ensure the protection of your data and eliminate future and potential risks, you will need to change your email password. We ask that you check the information provided by your ISP provider and take immediate action."

Source

https://securityaffairs.com/194387/data-breach/kddi-data-breach-impacts-up-to-14-2-million-email-accounts-at-six-isps.html

This content was generated with AI assistance through our Argus Flow application. We are continuously working to improve Argus Flow; if you encounter any issues such as translation errors, incorrect sources, or unverified information, you can report them using the button below. We appreciate your feedback.

Share This Article
X LinkedIn WhatsApp
← Previous Post 14 Million Email Logins Exposed in Breach at 6 Japanese ISPs

Weekly Newsletter

Curated data breach news delivered to your inbox every week.