KDDI Corporation, one of Japan’s largest telecommunications providers, disclosed a significant data breach on June 28, 2026, revealing that up to 14.22 million customer accounts may have been compromised. The breach, which also affected five partner internet service providers that rely on KDDI’s email infrastructure, exposed customer email addresses and passwords stored within the company’s systems.
The incident is among the largest credential breaches disclosed by a Japanese carrier in recent years, raising serious concerns about the security of shared email infrastructure across the country’s ISP ecosystem.
Table of Contents
- What Happened in the KDDI Data Breach
- Which ISPs Were Affected
- What Customer Data Was Exposed
- How the Breach Occurred
- How KDDI Responded
- What Affected Customers Should Do Now
What Happened in the KDDI Data Breach
KDDI’s security team discovered the breach internally on June 17, 2026. The company went public with the disclosure eleven days later, on June 28. During that window, KDDI worked to block the attacker, assess the scope of the compromise, and notify Japan’s regulatory bodies.
According to KDDI, the intrusion was made possible by a vulnerability in unnamed third-party software running on its systems. The company has not publicly identified the software vendor or the specific flaw that was exploited. No hacker group or individual has been named in connection with the attack.
KDDI notified Japan’s Personal Information Protection Commission as well as the Ministry of Internal Affairs and Communications following the discovery — both standard regulatory obligations under Japanese data protection law when a breach of this scale occurs.
Which ISPs Were Affected
Because multiple internet service providers operate their email services on KDDI’s shared infrastructure, the breach extended well beyond KDDI’s own direct customer base. Five partner ISPs were caught in the exposure: STNet Inc., JCOM Co. Ltd., Chubu Telecommunications Co. Inc., NIFTY Corporation, and BIGLOBE Inc.
Together with KDDI itself, that brings the total number of affected entities to six. Customers who hold or previously held email accounts through any of these providers — including inactive and former accounts — fall within the potentially compromised pool of 14.22 million.
The reach across multiple ISPs underscores a structural risk that comes with consolidating email systems under a single infrastructure provider. A single vulnerability in one shared platform created downstream exposure for millions of customers who may have had no direct relationship with KDDI.
What Customer Data Was Exposed
The data categories confirmed as potentially exposed are email addresses and passwords. KDDI stated that some passwords were stored in hashed or encrypted form, though the company did not specify what percentage of the 14.22 million affected accounts held passwords in plaintext versus protected formats.
KDDI’s public statement warned that passwords “may have been obtained by unauthorized third parties” — language that stops short of confirming theft, but signals the company cannot rule it out. The distinction matters: hashed passwords are not immediately usable, but they can be cracked over time depending on the hashing algorithm and the strength of individual passwords.
There is currently no public information indicating that the stolen data has been posted online, offered for sale on criminal forums, or otherwise circulated. That absence of evidence does not mean the data is safe — it may simply mean it has not surfaced yet.
How the Breach Occurred
KDDI attributed the intrusion to exploitation of a vulnerability in third-party software used within its systems. The company did not name the software or the vendor, which is a common practice during active investigations or when vendor disclosure agreements are in place.
Third-party software vulnerabilities have become one of the most common entry points in enterprise breaches globally. When a widely used platform or utility contains an exploitable flaw, attackers can target multiple organizations simultaneously — or specifically pick high-value targets like telecom operators sitting on large volumes of customer credentials.
KDDI said it has blocked the attacker and implemented additional defensive measures following discovery of the intrusion. No further details on the specific technical controls deployed have been made public.
How KDDI Responded
After identifying the breach on June 17, KDDI moved to contain the intrusion and begin its regulatory notification process. The company alerted Japan’s Personal Information Protection Commission and the Ministry of Internal Affairs and Communications — the two primary bodies overseeing personal data and telecommunications security in Japan.
The eleven-day gap between internal discovery and public disclosure is not unusual for breaches of this complexity, particularly when companies are still scoping the full extent of the compromise and coordinating with regulators before going public. KDDI has not provided a detailed incident timeline beyond the discovery and disclosure dates.
The five affected ISP partners — STNet, JCOM, Chubu Telecommunications, NIFTY, and BIGLOBE — are also expected to be communicating with their respective customer bases. Customers of those providers should monitor for direct notifications from their ISP in addition to any communications from KDDI.
What Affected Customers Should Do Now
KDDI is recommending that affected customers reset their passwords immediately and enable two-factor authentication on their accounts. These are the two most effective near-term steps any credential breach victim can take, regardless of whether their specific password was exposed in plaintext or hashed form.
Beyond those immediate steps, anyone with an account on KDDI’s email system — or with an account through STNet, JCOM, Chubu Telecommunications, NIFTY, or BIGLOBE — should also check whether they have reused the same password on other services. Credential stuffing attacks, where stolen username-password pairs are tested against banking, shopping, and social media sites, are a standard follow-on risk after any email credential breach.
Current, former, and inactive account holders are all within the scope of the 14.22 million figure KDDI disclosed. That means customers who closed their accounts years ago should still take precautions if they reused those passwords elsewhere. The KDDI data breach is a reminder that dormant accounts carry real risk long after they stop being used.