: Japanese telecommunications giant KDDI Corporation has disclosed a major cybersecurity breach after attackers gained unauthorized access to one of its email systems used by five other internet service providers (ISPs) in the country. According to the company’s preliminary assessment, the incident may have exposed the email addresses and passwords of up to 14.22 million (1.422 crore) customer accounts.
KDDI said it detected suspicious activity on June 17 and immediately blocked the attackers’ access while deploying additional security measures. The subsequent investigation revealed that the threat actors exploited an unidentified vulnerability in third-party software used within the company’s email infrastructure to infiltrate the system.
The affected ISPs include STNet Inc., JCOM Co. Ltd., Chubu Telecommunications Co. Inc., NIFTY Corporation, and BIGLOBE Inc. KDDI stated that the potentially affected accounts include current customers, former customers, and inactive email accounts.
Registration Begins for FutureCrime Summit 2026, India’s Largest Cybercrime Conference
The company clarified that passwords were not stored uniformly across all accounts. While some passwords were protected using hashing and encryption, reducing the likelihood of immediate misuse, KDDI did not disclose what percentage of passwords were stored in plaintext or which encryption algorithms were used. As a result, the full extent of the security risk is still being assessed.
KDDI began notifying the affected ISPs on June 17 and has also informed Japan’s Personal Information Protection Commission and the Ministry of Internal Affairs and Communications about the breach. The company is working closely with the affected service providers to implement additional safeguards and minimize potential risks.
Although the investigation remains ongoing and it is not yet clear how much customer data was actually accessed, cybersecurity experts warn that stolen email credentials can be used for account takeovers, identity theft, phishing attacks, and other forms of cybercrime. Users who reuse the same password across multiple online services are considered to be at significantly higher risk.
Renowned cybercrime expert and former IPS officer Prof. Triveni Singh said that the greatest danger following a large-scale data breach is password reuse. If users recycle the same password across multiple platforms, cybercriminals can launch credential stuffing attacks to gain unauthorized access to banking, social media, and other sensitive accounts. He advised users to immediately change passwords for all critical accounts and enable multi-factor authentication (2FA) wherever available.
KDDI has also urged potentially affected customers to reset their email account passwords without delay and activate two-factor authentication (2FA) if the feature is available. The company said the investigation is continuing and that affected users and partner ISPs will be informed as more details emerge.
