KDDI data – KDDI says threat actors accessed an email system used by five other Japanese ISPs, discovered on June 17. The company warns customers’ email addresses and passwords may have been obtained, with exposure potentially reaching up to 14.22 million accounts.
A June 17 alert inside KDDI triggered something more than an internal fix. The Japanese telecom giant says it discovered attackers had accessed an email system that it uses for itself and five other internet service providers.
KDDI moved quickly—blocking the attacker and putting defense measures in place—after determining that the breach stemmed from a vulnerability in unnamed third-party software used on its system.
Even with those technical steps already implemented. KDDI is warning customers that the damage may not be limited to logs or metadata. “Although technical defensive measures have already been implemented for the system. there remains a possibility that customers’ email addresses and passwords were obtained by unauthorized third parties as a result of the incident. ” the company said.
KDDI’s breach matters because email accounts are a master key in everyday digital life. If attackers have credentials, the first thing they try is often access—not just for emails, but for everything those emails can unlock.
The affected ISPs
KDDI says the incident impacted five ISP operators and their email services: STNet, Inc.; JCOM Co., Ltd.; Chubu Telecommunications C., Inc.; NIFTY Corporation; and BIGLOBE Inc.
While KDDI is still investigating and has not finalized how many accounts were impacted, it says the breach may have exposed the email addresses and passwords of up to 14.22 million customers.
That number includes current and former customers, as well as inactive accounts that may no longer be in use.
KDDI also points to one factor that could limit direct account takeover: some passwords were stored in hashed and/or encrypted form. meaning they “cannot be readily abused for account hijacks even if exposed.” But the company did not specify what type of encryption was used or what percentage of accounts had passwords stored in plaintext.
From response to notifications
KDDI says it has been contacting affected ISPs since June 17. It also notified Japan’s Personal Information Protection Commission and the Ministry of Internal Affairs and Communications.
The company says it is working with the impacted ISPs to implement additional security measures to mitigate the risks stemming from the exposure.
What customers are being told to do
KDDI’s guidance to customers is straightforward: reset email account passwords as soon as possible. If two-factor authentication (2FA) is available, the company says it would be prudent to set it up for additional protection.
The scale of KDDI’s reach only adds pressure. KDDI is one of Japan’s largest ISPs, employing 45,000 people and reporting annual revenue of $32.4 billion. The company has operated since 2000. following the merger of IDO. DDI. and Japan’s former state-monopoly international telecommunications provider. which was also named DDI. formed from that merger.
For now, the key unanswered piece is how many accounts were actually exposed—and what the mix of password storage looks like in practice. Until those findings land, KDDI’s message to users is aimed at the only safe move in the face of uncertainty: change the password, and turn on 2FA if you can.
KDDI data breach email logins Japan ISPs 14.22 million accounts password exposure two-factor authentication Personal Information Protection Commission