Breach Discovery and Response
Japanese telecommunications operator KDDI Corporation has disclosed a significant data breach affecting its email systems. The company detected the compromise on June 17, 2026, and took immediate action to block the attacker and implement defensive measures. The breach originated from a vulnerability in an unnamed third-party software used by KDDI.
KDDI stated that while technical defenses have been deployed, there remains a risk that customer email addresses and passwords were accessed by unauthorized parties. The company has been investigating the incident and coordinating with affected parties since the discovery.
Scope of Exposure
The breach impacts five internet service providers that rely on KDDI’s email infrastructure: STNet, JCOM, Chubu Telecommunications, NIFTY Corporation, and BIGLOBE. Up to 14.22 million customers, including current and former users as well as inactive accounts, may have had their email credentials exposed.
KDDI noted that some passwords were stored in hashed or encrypted form, potentially limiting immediate abuse. However, the company did not disclose the specific encryption methods used or the proportion of passwords stored in plaintext. KDDI has contacted affected ISPs and notified Japan’s Personal Information Protection Commission and the Ministry of Internal Affairs and Communications. Customers are advised to reset passwords and enable two-factor authentication if available.
Source: BleepingComputer
