Data breach at Japanese telecoms operator KDDI may have exposed up to 14.22 million email addresses and passwords linked to ISP mail services, after attackers gained unauthorised access to a system used by six providers in Japan. KDDI said it confirmed the incident on 17 June 2026, repaired the affected system the same day, and traced the intrusion to a vulnerability in third-party software used inside the mail platform, reports The WP Times.

The company has not said whether the attackers copied the full set of credentials, nor has it named the exploited software. The confirmed risk is narrower but still serious: mailbox-linked email addresses and passwords created for affected services may have been obtained by an unauthorised third party. Some passwords were hashed or encrypted, according to KDDI, but the company has not disclosed the algorithms, implementation, or share of accounts protected that way.

KDDI data breach affects six Japanese ISP email services

KDDI’s notice says the incident involved a mail system it provides for internet service providers, not a generic consumer database or a billing platform. That distinction matters because the exposed records are directly useful for account takeover, phishing, credential stuffing, and mailbox monitoring. Email accounts often act as recovery channels for banking, shopping, cloud storage, social media, and work tools, so even an old ISP mailbox can become a useful target. The affected ISP operators and services named by KDDI are:

  • STNet, covering Pikara Hikari, Pikara Mobile and work-related Pikara mail services;
  • KDDI Web Communications, covering CPI rental server mail services;
  • JCOM, covering J:COM NET and cable television operator mail services;
  • Chubu Telecommunications, covering Commufa Hikari and Business Commufa mail services;
  • Nifty, covering @nifty Mail;
  • BIGLOBE, covering BIGLOBE Mail.

KDDI’s figure is a maximum estimate, not a confirmed victim count. The company says the number includes current customers, cancelled customers, and dormant users who have not used the service for a defined period. That widens the notification problem because some people may no longer check the affected inbox, may have changed provider years ago, or may not recognise the account as a live security risk.

Dormant accounts are rarely harmless when the same mailbox still receives password reset links.

The main facts currently confirmed by KDDI are set out below.

IssueConfirmed detail
Date detected17 June 2026
Public notice23 June 2026
System involvedISP-facing email system managed by KDDI
Possible exposed dataEmail addresses and passwords linked to mailboxes
Maximum scaleUp to 14.22 million records
Cause stated by KDDIVulnerability in third-party software
Regulators contactedPersonal Information Protection Commission and Ministry of Internal Affairs and Communications
Customer actionPassword change through affected ISP guidance

KDDI says it began contacting the affected ISP operators from 17 June and is working with them on countermeasures. It also says technical defensive measures have been implemented for the system, although that does not remove the need to change passwords if the credentials were already accessed.

What KDDI says happened in the data breach

KDDI’s chronology is short. On 17 June, the company confirmed unauthorised access to the mail system used for ISP services. It then modified the system to prevent the damage spreading, identified the suspected intrusion point, and implemented technical defensive measures. Its investigation found that attackers exploited a vulnerability in third-party software used in the platform.

The company’s Japanese notice says: “As a result of the investigation, it was found that this unauthorised access was caused by exploitation of a vulnerability in third-party software used in this system” (KDDI press release, 23 June 2026). That wording leaves several unanswered security questions, including whether the vulnerability was already publicly known, whether a patch existed, and how long the vulnerable component had been exposed.

The Register reported that KDDI did not present the bug as a zero-day vulnerability and did not explain why vulnerable software was running on the service. That point is important for enterprise customers because third-party software exposure is usually a governance problem as much as a technical one: asset inventory, patch timing, logging, segmentation and supplier risk all determine whether a flaw becomes a breach.

Why email logins are high-value data

A stolen ISP mailbox password can be more damaging than it first appears. Many legacy email accounts stay attached to online services for years, even after customers move to another provider. Attackers can search old mail for invoices, identity documents, account confirmations, travel bookings, delivery records, and password reset links.

The risk profile depends on three details KDDI has not yet made public:

  1. whether any passwords were stored in plaintext;
  2. what hashing or encryption methods were used;
  3. whether attackers accessed metadata, message contents, or only credential-related records.

KDDI’s official statement refers specifically to email addresses and passwords tied to mailboxes, and says some passwords include hashed or encrypted forms. People’s Daily reported that email content may also have been compromised, but KDDI’s own notice seen in the official PDF focuses on email-related login information. The safer reading is that credentials are the confirmed concern, while wider mailbox exposure needs clearer confirmation from KDDI or regulators.

KDDI has not published the name of the affected third-party software.

Password exposure, hashing and what users should do now

The phrase “hashed and/or encrypted” can sound reassuring, but its meaning depends on implementation. A modern salted password hash using a slow algorithm is much harder to crack than a fast unsalted hash. Encryption can protect passwords only if keys were protected and attackers did not access them. Without technical detail, customers and security teams should treat the exposure as actionable.

KDDI’s advice is direct: users should follow information from their ISP and change their email password promptly. The company says the step is needed to protect customer data and remove future or potential risk after the unauthorised access.

KDDI data breach exposed how one vulnerable third-party system can put millions of ISP email logins at risk, forcing urgent password resets across Japan.

A practical response should focus on the email account first, then on every other service tied to it:

  • change the affected ISP email password immediately;
  • do not reuse the old password anywhere else;
  • enable two-factor authentication if the service supports it;
  • review forwarding rules, recovery addresses and login history;
  • change passwords on banking, shopping and cloud accounts that used the affected mailbox for recovery;
  • watch for phishing messages that reference the ISP, KDDI, password resets or account verification.

For businesses using one of the affected providers, the check should extend beyond individual mailboxes. Administrators should confirm whether shared mailboxes, former staff accounts, service accounts, domain administrator addresses, and billing contacts are included. An abandoned mailbox used for domain renewal or supplier portals can create more risk than a busy personal inbox.

“Although technical defensive measures have already been implemented for the system, there remains a possibility that customers’ email addresses and passwords were obtained by unauthorised third parties” (KDDI notice, 23 June 2026).

The most exposed users are not always the most active ones. Cancelled or dormant customers may miss ISP notices, yet their old email addresses may still be listed as recovery accounts elsewhere. That is why the inclusion of inactive accounts in the 14.22 million maximum matters.

Why the KDDI breach matters beyond Japan

The KDDI case is not only a Japanese telecoms story. It is a supplier-risk incident involving a major operator providing a shared platform to other ISPs. When one managed service fails, several brands have to notify customers, coordinate password resets, answer regulator questions, and handle reputational fallout for infrastructure they did not directly operate.

This architecture is common in telecoms, hosting, payments, customer support and cloud operations. Outsourcing can reduce cost and centralise specialist operations, but it also concentrates technical risk. A single vulnerable component can become a route into multiple downstream customer bases.

The incident also shows how email remains a weak point in digital identity. Companies often invest heavily in app security, banking controls and endpoint detection, while leaving older mail services with limited authentication options and years of retained account data. Attackers understand that a mailbox can be a master key.

A simple comparison shows the difference between a contained system breach and an identity breach built around email credentials.

Breach typeTypical damageWhy this case is sensitive
Marketing database leakSpam, profiling, phishingUsually lacks direct login credentials
Billing data exposureFraud, impersonation, targeted scamsOften involves names, addresses or payment references
Email login exposureAccount takeover, resets, mailbox searchEmail can unlock other services
Managed platform breachMulti-brand notification and trust issueOne supplier affects several providers

The regulatory dimension is also visible. KDDI says it is proceeding with necessary actions, including reporting and consultation with Japan’s Personal Information Protection Commission and the Ministry of Internal Affairs and Communications. That places the incident in both privacy and telecoms oversight channels.

What remains unknown in the KDDI data breach investigation

Several critical points are still open. KDDI says the investigation is continuing and that the 14.22 million figure is a maximum because the impact range has not been fully identified. Until the company releases more detail, the incident should be treated as a potential credential exposure at scale rather than a fully measured leak.

The main unresolved questions are:

  1. which third-party software contained the exploited vulnerability;
  2. whether the vulnerability was previously known and patchable;
  3. how long the attackers had access before detection;
  4. whether any passwords were stored in plaintext;
  5. whether mailbox contents or only login-related records were accessed;
  6. how many of the 14.22 million records relate to active customers.

KDDI’s public statement says it will continue working with the affected ISPs on customer notification and password changes. The operational challenge is that password resets across millions of accounts can create support delays, phishing opportunities, and confusion if messages from attackers imitate genuine ISP instructions.

Customers should reach the ISP website directly rather than using links inside unexpected emails.

For now, the confirmed story is a third-party software breach in a KDDI-managed ISP mail system, with up to 14.22 million mailbox credentials potentially exposed across six Japanese providers. The useful response is plain: reset the affected email password, remove reuse of that password elsewhere, protect recovery routes, and wait for clearer technical detail from KDDI or the relevant ISP.

Read about the life of Westminster and Pimlico district, London and the world. 24/7 news with fresh and useful updates on culture, business, technology and city life: Santander 8% savings account: what the new regular saver really means for UK customers