Skip to main content

KDDI Breach Exposes 12 Million People's Email Addresses, Passwords

Rows of computer servers and network equipment in a brightly-lit data center with blurred monitor screens and cables.

12,233,087 — that is the number KDDI says attackers accessed when they breached an email platform used by five Japanese internet service providers, and the company says 7,616,173 passwords were also taken.

KDDI's disclosure and timeline

Japanese telecommunications giant KDDI disclosed the incident after discovering attacker access on June 17, saying it had "blocked the attackers' access and implemented defensive measures." The company reported the breach publicly last month and issued a July 6 update that pushed the timeline back to May 16, when, it said, attackers first breached the platform.

KDDI also said a forensic audit on June 23 confirmed the exploited vulnerability had been addressed and that "the systems aren't affected by other security issues." The company notified Japan's Personal Information Protection Commission and the Ministry of Internal Affairs and Communications and is working with affected ISPs to implement further security measures.

Scope of exposed data and affected ISPs

KDDI identified the compromised ISPs as STNet, JCOM, Chubu Telecommunications C, NIFTY Corporation, and BIGLOBE. The company initially said the incident "may have exposed the email addresses and passwords of up to 14,22 million current and former customers, as well as those belonging to inactive accounts."

In more granular figures released afterward, KDDI said attackers gained access to the email addresses of 12,233,087 people and to the passwords of 7,616,173 people. KDDI noted that "some passwords were stored in hashed and/or encrypted form (making them harder to use for account hijacking)," but did not specify how many passwords were hashed or encrypted, whether some were stored in plaintext, or what type of encryption was used.

Technical vector: a zero‑day in third‑party software

In its July 6 update, KDDI said the initial breach on May 16 exploited a zero‑day vulnerability in third‑party software. KDDI quoted its investigation as finding that, "as of June 17, 2026, the date of our confirmation, this vulnerability was not recognized by the software vendor." The company added that the vendor has "reported this vulnerability to public authorities and is working toward disclosing the information."

KDDI's response: containment, password resets, and EDR

According to KDDI, it took immediate containment steps after discovery: blocking the attackers' access, implementing defensive measures, and commissioning a forensic audit. To prevent further account misuse, KDDI said it is "currently working to change the passwords of affected customers' email accounts," and that "many customers, primarily those who regularly use email services, have already changed their passwords."

For customers who do not frequently use email services, KDDI said it is arranging for ISP providers to "complete mandatory password changes within one or two days." The company has also deployed Endpoint Detection and Response (EDR) software to help detect future breach attempts.

What this means for end users, affected ISPs, and security teams

  • End users: KDDI is forcing or encouraging password changes and reports many regular users have already updated credentials; users of the named ISPs should expect mandatory password resets to be completed within one to two days where applicable.
  • Affected ISPs (STNet, JCOM, Chubu Telecommunications C, NIFTY Corporation, BIGLOBE): they are coordinating with KDDI on mandatory password changes and implementation of additional security measures following the forensic audit and the vendor’s disclosure to authorities.
  • Security teams and vendors: KDDI has deployed EDR and completed a forensic audit that found the exploited vulnerability addressed; the third‑party software vendor has reported the zero‑day to public authorities and is "working toward disclosing the information," highlighting the role of vendor disclosure timelines in downstream risk.

The breach combines two stark facts: a large population of email accounts exposed — more than 12 million addresses and millions of passwords — and a vector rooted in a zero‑day in third‑party software that, until June 17, had not been recognized by the software vendor. KDDI's containment, active password resets, EDR deployment, and notifications to Japan's privacy and communications authorities are the concrete steps the company has taken so far; the vendor's public disclosure process and unanswered technical details about how many passwords were stored in plaintext or what encryption was used remain the next items to watch.

Read the original report