353/69 Tuesday, June 30, 2026
KDDI Corporation, a major telecommunications company in Japan, has disclosed a data breach that may affect up to 14.2 million email accounts from email services operated by six internet service providers in Japan. KDDI stated that it detected the intrusion on June 17, 2026, blocked the attackers, and immediately began an investigation. The company said the cause of the incident was related to a vulnerability in third-party software used in the email system that KDDI provides to internet service providers.
According to KDDI’s announcement, some data from email services provided through multiple internet service providers may have been exported to an external party without authorization. On the same day the incident was detected, the company updated its systems to prevent further damage, identified locations suspected of being involved in the unauthorized access, and implemented technical countermeasures. The incident affected email services from six providers: STNet, KDDI Web Communications, JCOM, Chubu Telecommunications, Nifty, and BIGLOBE. KDDI has reported the incident to Japan’s personal information protection and telecommunications regulators.
KDDI stated that the information that may have been exposed includes email addresses and passwords, including accounts of former customers and inactive accounts. Although the passwords were stored in hashed or encrypted form, the company warned that the information may have been obtained by the attackers. KDDI is coordinating with the affected internet service providers to notify customers and take appropriate response measures. The company also recommends that affected users change their email passwords immediately to reduce the risk of unauthorized account access in the future.