374/69 Thursday, July 9, 2026

KDDI, a telecommunications company in Japan, has disclosed a data breach after attackers gained access to an email platform used by five internet service providers (ISPs) in Japan, potentially exposing a large number of users’ email addresses and passwords. KDDI is Japan’s second-largest mobile telecommunications provider, with approximately 45,000 employees and annual revenue of about USD 32.4 billion. The company detected the incident on June 17, 2026, before blocking the attackers’ access and implementing additional protective measures. The incident affected STNet, JCOM, Chubu Telecommunications, NIFTY Corporation, and BIGLOBE.
KDDI previously stated that the incident could affect the email addresses and passwords of current customers, former customers, and inactive accounts, totaling up to approximately 14.22 million accounts. Some passwords were stored in hashed or encrypted form, which helps reduce the risk of account takeover to some extent. However, the company has not specified how many accounts may have had passwords stored in plaintext or provided details about the encryption methods used. In an update on July 6, 2026, KDDI disclosed that attackers began compromising the platform on May 16, 2026, by exploiting a zero-day vulnerability in third-party software. At the time KDDI confirmed the incident, the vulnerability was still unknown to the software developer.
According to the latest investigation results, KDDI stated that 12,233,087 users’ email addresses and 7,616,173 users’ passwords had been accessed. The company is in the process of changing passwords for affected email accounts and coordinating with ISPs to force password resets for users who rarely use the email service within one to two days. In addition, KDDI has deployed Endpoint Detection and Response (EDR) systems to detect future intrusions. The company stated that a review conducted on June 23 confirmed that the exploited vulnerability had been fixed and that no other security issues were found in the system. KDDI has also reported the incident to Japan’s Personal Information Protection Commission and the Ministry of Internal Affairs and Communications, while working with the affected ISPs to reduce risks to users.
