What happened
Japanese telecommunications operator KDDI disclosed a data breach that may have exposed email login information for up to 14.2 million customers across six internet service providers.
KDDI said attackers gained access to one of its email systems used by five other ISP operators in Japan. The company discovered the compromise on June 17 and said it responded by blocking the attacker and implementing defensive measures.
The investigation found that the attackers exploited a vulnerability in unnamed third-party software used on KDDI’s system.
KDDI said there remains a possibility that customer email addresses and passwords were obtained by unauthorized third parties. The potentially exposed data includes accounts belonging to current customers, former customers, and inactive accounts.
The affected ISP operators and email services include STNet, JCOM, Chubu Telecommunications, NIFTY, and BIGLOBE.
KDDI said some exposed passwords were stored in hashed and/or encrypted form, which may reduce the risk of immediate account hijacking. However, the company did not specify what type of encryption was used or what percentage of passwords may have been stored in plaintext.
KDDI has been contacting affected ISPs since June 17 and has notified Japan’s Personal Information Protection Commission and the Ministry of Internal Affairs and Communications.
The company said it is working with affected ISPs to implement additional security measures. Customers who may have been exposed are being advised to reset their email passwords and enable two-factor authentication if available.
Who is affected
Customers of KDDI and the five affected ISP operators may be affected, including current, former, and inactive email account holders.
The potentially exposed information includes email addresses and passwords. Even if some passwords were hashed or encrypted, the exposure still creates account takeover, credential stuffing, phishing, and identity abuse risk.
Organizations may also be affected if employees used ISP email accounts for business communications, account recovery, personal cloud services, or password reset workflows.
Why CISOs should care
This incident shows how one compromised provider system can affect multiple downstream ISP operators and millions of email accounts. The breach did not only affect KDDI’s own users. It also involved systems used by other providers.
For CISOs, email account exposure remains a serious identity risk. Email inboxes are often tied to password resets, multifactor authentication recovery, personal identity documents, payment notifications, and business communications.
The uncertainty around password storage is also important. KDDI said some passwords were hashed and/or encrypted but did not disclose the encryption method or the proportion of plaintext passwords. Without that detail, security teams should assume exposed credentials may be usable and require resets.
The third-party software vulnerability also reinforces the importance of patching and vendor risk management around systems that handle authentication data at scale.
3 practical actions
- Reset exposed email account passwords immediately: KDDI advised potentially affected customers to change their passwords. CISOs should also remind employees not to reuse ISP email passwords across corporate, cloud, or personal accounts.
- Enable two-factor authentication where available: If attackers obtained email addresses and passwords, 2FA can reduce the chance of immediate account takeover. Users should enable stronger authentication on ISP email accounts and other services tied to those email addresses.
- Review business dependence on personal ISP email accounts: Email accounts are often used for password recovery and account notifications. Organizations should identify whether employees use personal ISP accounts for business services, vendor portals, or recovery workflows and move those accounts to managed corporate identity systems.
John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.