Japan’s second-largest telco KDDI confirmed on Monday that unauthorized access to an email platform it runs for internet service providers may have exposed the credentials of up to 14.22 million customers. The leaked data includes email addresses and passwords linked to active accounts, dormant accounts, and even users who had cancelled their service at some point in the past.
The breach affects backend email infrastructure KDDI supplies to six ISPs: STNet (Pikara Hikari, Pikara Mobile, and Oshigoto Pikara), KDDI Web Communications (CPI rental server), JCOM (J:COM NET and cable television operator mail), Chubu Telecommunications (Commufa Hikari and Business Commufa), Nifty (@nifty Mail), and BIGLOBE (BIGLOBE Mail). These are not small regional players. Several of them are among Japan’s more widely used consumer and business internet providers.
Translation:
June 23, 2026
KDDI Corporation
Regarding Unauthorized Access to Email Systems Provided to ISPs
On June 17, 2026, we confirmed a potential external data leak concerning the email services provided by various Internet Service Providers (ISPs) via the email system we supply to them.
We deeply apologize for the significant inconvenience and concern this incident has caused to the ISPs, their customers, and all other parties involved.
- Circumstances of the Incident
On June 17, 2026, we confirmed that the email system we provide to ISPs had been subjected to unauthorized access. On the same day, we modified the system to prevent the damage from spreading. We have identified the point of compromise and implemented technical defensive measures.
Our investigation revealed that the unauthorized access exploited a vulnerability in third-party software used within the system, potentially resulting in the leakage of customer email-related information necessary for using the email services. We are continuing our investigation to determine the full scope of the impact.
Regarding this incident, we are taking necessary actions—including reporting to and consulting with the Personal Information Protection Commission and the Ministry of Internal Affairs and Communications—in accordance with relevant laws and regulations. - Affected ISPs
The affected ISPs and their respective email services are the following six companies: STNet, Inc.
: Email services associated with “Pikara Hikari Service,” “Pikara Mobile Service,” and “Oshigoto Pikara Service”
KDDI Web Communications Inc.
: Email services for the “CPI” rental server
JCOM Co., Ltd.
: Email services for “J:COM NET” and for cable television operators
Chubu Telecommunications Co., Inc.
Nifty Corporation
BIGLOBE Inc.
*Listed in Japanese alphabetical order
: Email services for Commufa Hikari and Business Commufa
: @nifty Mail
: BIGLOBE Mail - Potentially leaked email-related information
Email addresses and passwords linked to mailboxes created within these email services: Up to 14.22 million records
*Includes customers who have cancelled their service and “dormant” customers who have not used the service for a certain period.
*Includes passwords that have been hashed or encrypted.
*Figures represent the maximum estimate, as the investigation is ongoing. - Information for affected ISP operators
We are currently contacting the relevant ISP operators sequentially, starting from June 17, 2026. Concurrently, we are discussing and implementing necessary countermeasures.
Although technical defensive measures are in place for this system, there is a possibility that customers’ email addresses and passwords have been illicitly obtained by third parties due to this unauthorized access. To ensure the protection of customer data and eliminate future or potential risks, customers are required to change their email passwords. We ask that customers review the information provided by their ISP operators and take prompt action.
We will continue to collaborate with ISP operators to notify customers and facilitate the prompt changing of passwords.
How It Happened
The attack exploited a vulnerability in third-party software running inside the email system. KDDI says it patched the affected infrastructure on June 17, the same day it detected the intrusion, and has since applied additional technical controls. The company has filed reports with Japan’s Personal Information Protection Commission and the Ministry of Internal Affairs and Communications, as required by law.
That’s essentially all KDDI is saying on the technical side. No threat actor has been named, no CVE has been referenced, and “third-party software vulnerability” is doing a lot of heavy lifting in an otherwise thin disclosure. Whether this was an obscure configuration flaw, an unpatched known CVE, or something worse is not in the public record yet.
The Password Problem Nobody Is Talking About
KDDI’s statement notes that the leaked data includes “passwords that have been hashed or encrypted.” That sentence is important.
It says hashed and encrypted passwords are among the leaked records. It does not say that all passwords were stored that way. The distinction matters because if some credentials were stored in plaintext or in a reversible format, then saying the dump “includes” hashed passwords is technically accurate without being reassuring. KDDI has not clarified what percentage of the 14.22 million records were protected, or which algorithms were used.
A bcrypt hash is not crackable in any practical timeframe for most attackers. An MD5 hash, still common in legacy systems, is essentially plaintext in 2026. Without knowing what KDDI’s ISP partners were actually using, there’s no way to assess how exposed these credentials really are. Affected users should not wait on that clarification.
Who Gets Caught in This
The 14.22 million figure is a maximum estimate while the investigation is still running. It includes cancelled accounts and dormant ones that had gone unused for an unspecified period, which raises its own questions about KDDI’s data retention practices, but that’s a separate argument.
For active users, the immediate concern is credential stuffing. Attackers take leaked email and password pairs and run them against banking portals, e-commerce sites, government service logins. Japan has dealt with a series of credential stuffing incidents over the past few years, some of them involving tens of millions of authentication attempts in a single campaign. A dump this size goes straight into those workflows.
What KDDI Is Telling Users to Do
KDDI says it has been notifying the six affected ISPs since June 17 and is coordinating on password reset communications. The guidance is simple: change your email password and follow instructions from your specific ISP.
The decentralized approach makes operational sense given the multi-provider structure, but it also means the quality and speed of customer notification will vary by ISP. JCOM, Nifty, and BIGLOBE collectively serve millions of households. Whether every one of those customers gets a clear, timely warning before attackers start testing their credentials elsewhere is not something KDDI can guarantee from its end.
What This Breach Is Missing
KDDI has a prior record of something similar. In 2022, the company’s au mobile platform was hit by a SIM swap fraud campaign affecting approximately 3.5 million accounts. That incident prompted public criticism over response time and communication. This breach is larger by raw numbers and arguably broader in risk, since email credentials are commonly reused across unrelated services.
The company is clearly moving through the regulatory motions, and that is not nothing. But the gap between “we filed the required reports” and “we told users what actually happened” is significant, and KDDI has not closed it. Which software was exploited, how long access persisted before detection, what the actual storage practices were for these passwords: none of that is in today’s statement.
Users should not hold their breath for those answers before acting.
If you use any of the six affected services for email, change your password today. Do not wait for a notification from your ISP.
This post first appeared at - The CyberSec Guru