KDDI Data Breach Impacts up to 14.2 Million Email Accounts at Six ISPs

KDDI Corporation disclosed a breach affecting up to 14.2 million email accounts after attackers exploited a vulnerability in third-party software.

KDDI Corporation disclosed a data breach that exposed up to 14.2 million email accounts across six Japanese internet service providers.

KDDI Corporation is one of Japan’s largest telecommunications companies. It employs more than 60,000 people and generates annual revenue of roughly ¥5.9 trillion (about US$40 billion). The company provides mobile, fixed-line, broadband, cloud, data center, IoT, and digital services, operating primarily in Japan while serving enterprise customers across Asia and other international markets.

The company detected the intrusion on June 17, quickly blocked the attackers, and launched an investigation. According to KDDI, the breach was caused by a vulnerability in third-party software used by its email system. The company is continuing its investigation while assessing the full impact of the incident.

“On June 17, 2026, we confirmed that some information from email services provided by various ISP operators (hereinafter referred to as “the email service”) may have been leaked to an external party in the email system (hereinafter referred to as “the System”) that we provide to Internet Service Providers (hereinafter referred to as “ISP operators”).” reads the data breach notice.

“On the same day, we modified the System to prevent further damage. We have identified the suspected location of the Unauthorized Access and implemented technical defense measures.”

KDDI said it has reported the breach to Japan’s privacy and telecommunications regulators and is taking the required legal and regulatory steps. The incident affected the email services of six internet providers: STNet, KDDI Web Communications, JCOM, Chubu Telecommunications, Nifty, and BIGLOBE.

The company confirmed said that email addresses and passwords may have been exposed, including accounts belonging to former and inactive customers. While passwords were stored in hashed or encrypted form, the company warned they may have been obtained by attackers. KDDI is coordinating response efforts, and is urging all impacted users to change their email passwords immediately to reduce the risk of unauthorized access.

“We are also proceeding with discussions and implementation of countermeasures. While we have implemented technical security measures for this system, there is a possibility that your email address and password may have been illegally obtained by a third party due to this unauthorized access.” concludes the notice. “To ensure the protection of your data and eliminate future and potential risks, you will need to change your email password. We ask that you check the information provided by your ISP provider and take immediate action. We will continue to work with ISP providers to inform customers and take appropriate action to encourage prompt password changes.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, data breach)