> Back to All Posts

KDDI Data Breach Exposes Email Logins for 14 Million Customers

KDDI Data Breach

One of Japan’s largest telecom providers has confirmed a serious security incident. A KDDI data breach has exposed the email credentials of up to 14.22 million customers — not just from KDDI itself, but from five additional internet service providers that shared the same compromised email infrastructure. The breach raises urgent questions about how shared systems across telecoms can turn a single vulnerability into a mass exposure event.

What Happened at KDDI

KDDI Corporation, a public Japanese telecommunications company founded in 2000 with 45,000 employees and $32.4 billion in annual revenue, discovered the compromise on June 17, 2026. Threat actors had exploited a vulnerability in third-party software running on one of KDDI’s email systems. The company responded by blocking the attacker and deploying defensive measures.

The core problem, however, goes beyond one company’s systems. KDDI operates email infrastructure that several other ISPs rely on. That shared architecture meant one successful intrusion opened the door to customer data across six providers at once.

Six ISPs, One Point of Failure

The five additional ISPs affected by the KDDI data breach are:

  • STNet, Inc.
  • JCOM Co., Ltd.
  • Chubu Telecommunications Co., Inc.
  • NIFTY Corporation
  • BIGLOBE Inc.

Each of these providers used KDDI’s email system as part of their own customer-facing services. When attackers gained access, they potentially reached the login credentials of customers across all six operators simultaneously.

This is what makes the incident especially serious. The vulnerability did not need to exist in six places. It existed in one — and that was enough.

How Many People Are Affected

KDDI estimates that up to 14.22 million email addresses and passwords may have been compromised. This figure covers current customers, former customers, and dormant accounts that are no longer actively used. The investigation is still ongoing, so the final number could shift.

There is some partial relief on the password front. KDDI confirmed that some passwords were stored in hashed or encrypted form, which means attackers cannot simply read them as plain text. Hashing is a security technique that converts a password into a scrambled string. Even if that string is stolen, it takes additional effort to reverse it into a usable password.

But KDDI stopped short of providing full transparency. The company did not disclose what hashing or encryption method was used, and it did not clarify what percentage of accounts had passwords stored in plaintext. That gap in information makes it difficult for affected customers to assess their actual risk.

What KDDI Is Doing Now

KDDI notified Japan’s Personal Information Protection Commission and the Ministry of Internal Affairs and Communications shortly after the discovery. The company has been in contact with all affected ISPs since June 17, and joint efforts are underway to put additional security measures in place.

For customers caught up in the KDDI data breach, the company advises changing email account passwords immediately. Where two-factor authentication is available, enabling it adds a meaningful second layer of protection even if a password has been stolen.

Two-factor authentication, often called 2FA, requires users to confirm their identity through a second method — such as a text message code or authentication app — beyond just the password. So even if a threat actor has your credentials, they cannot access the account without that second step.

Why This Matters Beyond Japan

Events like this one carry lessons that apply far outside Japan. When ISPs and telecoms share backend infrastructure, they also share risk. A single unpatched vulnerability in a third-party software component can cascade across millions of customer accounts in multiple organizations at once.

Third-party software is a well-documented weak point in corporate security. Vendors release patches, but deployment timelines vary. In the gap between when a vulnerability becomes known and when it gets fixed, attackers move. KDDI’s breach appears to follow exactly that pattern.

The incident also draws attention to credential hygiene. Email login details are high-value targets. They can be used to reset passwords on other platforms, intercept sensitive communications, or serve as a launchpad for phishing attacks against the account holder’s contacts.

Reusing passwords across services makes all of this significantly worse. If a stolen email password matches the password on a banking or social media account, the damage extends well beyond the original breach.

Final Thoughts

The KDDI data breach is a clear example of how shared infrastructure compounds risk. One vulnerability in one piece of third-party software affected up to 14.22 million people across six providers. That is not a small oversight — it is a systemic failure with real consequences.

If you are a customer of KDDI, STNet, JCOM, Chubu Telecommunications, NIFTY, or BIGLOBE, treat your email credentials as compromised until you have changed them. Enable 2FA wherever it is offered. And if you use the same password elsewhere, change those too. Online security depends on layers. One compromised layer should not bring everything else down with it.

Janet Andersen

Janet is an experienced content creator with a strong focus on cybersecurity and online privacy. With extensive experience in the field, she’s passionate about crafting in-depth reviews and guides that help readers make informed decisions about digital security tools. When she’s not managing the site, she loves staying on top of the latest trends in the digital world.