KDDI Breach Exposes Up to 14.2 Million Email Credentials Across Six ISPs

KDDI Corporation, one of Japan’s largest telecommunications operators, has disclosed a data breach affecting an email platform shared with five other internet service providers across the country. The company detected the intrusion on June 17, 2026, and moved quickly to evict the attacker and apply defensive measures.

How the Breach Occurred

According to KDDI, threat actors exploited a vulnerability in an unnamed third-party software product running on the affected email system. The company has not publicly identified the software vendor or the nature of the flaw. While technical mitigations have been applied to the system, KDDI acknowledged that customer email addresses and passwords may have been obtained by unauthorized parties during the incident window.

Scope and Affected Parties

The compromised infrastructure supported email services operated by five downstream ISPs:

• STNet, Inc.
• JCOM Co., Ltd.
• Chubu Telecommunications C., Inc.
• NIFTY Corporation
• BIGLOBE Inc.

KDDI estimates that up to 14.22 million email accounts may have been exposed. That figure spans current customers, former customers, and dormant accounts that are no longer actively used. The investigation remains ongoing, and a precise count has not yet been established.

Password Storage Caveats

KDDI noted that some portion of passwords were stored in hashed or encrypted form, which limits the immediate risk of credential reuse. However, the company declined to disclose which hashing or encryption algorithms were used, and did not clarify what proportion of accounts had passwords stored in plaintext, a gap that makes it difficult for affected users to assess their actual exposure level.

Regulatory Notification and Response

KDDI has been coordinating with the five affected ISPs since the day of discovery. It has also formally notified Japan’s Personal Information Protection Commission and the Ministry of Internal Affairs and Communications, in line with domestic data protection obligations. Ongoing work with partner ISPs aims to implement additional security controls to reduce residual risk.

Recommended Actions for Affected Users

Given the uncertainty around plaintext password exposure, all potentially affected customers should take immediate steps:

• Reset email account passwords without delay, and avoid reusing passwords across services.
• Enable two-factor authentication (2FA) on the affected email account if the provider supports it.
• Monitor associated accounts, particularly those that share the same password, for signs of unauthorized access.

Security teams should also treat any credentials tied to the affected ISP domains as potentially compromised until further clarification from KDDI narrows the scope of plaintext exposure.