KDDI breach exposes 14.2 million email logins across 6 ISPs

Key Takeaways

• Up to 14.2 million email addresses and passwords potentially exposed across KDDI and five partner ISPs in Japan
• Attackers exploited a vulnerability in unnamed third-party software, highlighting supply chain security risks
• Some passwords were hashed or encrypted, but KDDI has not disclosed what percentage were stored in plaintext

Japanese telecom operator KDDI Corporation disclosed a data breach that may have exposed up to 14.2 million email login credentials. The compromise affected KDDI's email infrastructure and five other internet service providers that rely on the company's systems. KDDI discovered the intrusion on June 17 and says it blocked the attacker immediately.

The breach originated from a vulnerability in third-party software running on KDDI's email systems. The company has not named the software or the vendor. That silence matters: without knowing which product failed, other organizations using the same tool cannot assess their own exposure.

Which ISPs were affected by the KDDI breach?

KDDI operates shared email infrastructure for regional providers across Japan. The breach impacted five partner ISPs: STNet, Inc., JCOM Co., Ltd., Chubu Telecommunications Co., Inc., NIFTY Corporation, and BIGLOBE Inc. Together with KDDI, that brings the total to six providers whose customers face potential credential exposure.

KDDI is Japan's second-largest telecommunications company, with 45,000 employees and annual revenue of $32.4 billion. The company formed in 2000 from a merger of IDO, DDI, and KDD, the former state-monopoly international carrier. Its scale means a breach of this kind ripples through a significant portion of Japan's consumer internet market.

What data was exposed?

According to KDDI's disclosure, attackers may have obtained email addresses and passwords for up to 14.2 million accounts. That figure includes current customers, former customers, and inactive accounts. The company has not finished its investigation, so the final count could be lower.

KDDI offered one partial assurance: some passwords were stored in hashed or encrypted form. But the company did not specify how many. It also did not say which hashing algorithm was used. Weak hashes like MD5 or SHA-1 without salting can be cracked quickly with modern hardware. Strong algorithms like bcrypt or Argon2 provide more protection. Without that detail, security teams cannot gauge real-world risk.

Worse, KDDI acknowledged that some passwords may have been stored in plaintext. Any credentials in that category are immediately usable for account takeovers.

How did the attackers get in?

The company traced the intrusion to a vulnerability in unnamed third-party software. Supply chain attacks of this kind have become a recurring theme. When organizations share infrastructure with partners, a single vulnerable component can compromise millions of accounts across corporate boundaries.

“Although technical defensive measures have already been implemented for the system, there remains a possibility that customers' email addresses and passwords were obtained by unauthorized third parties as a result of the incident.”

— KDDI Corporation, Official Statement

KDDI says it has been working with affected ISPs since June 17 to implement additional security measures. The company also notified Japan's Personal Information Protection Commission and the Ministry of Internal Affairs and Communications.

What should affected users do now?

KDDI recommends that potentially affected customers reset their email passwords immediately. If two-factor authentication is available, users should enable it. Credential stuffing attacks, where hackers try stolen username-password pairs on other services, often follow breaches like this. Anyone who reused their ISP email password elsewhere should change those credentials too.

• Reset your email password if you use any of the six affected ISPs
• Enable two-factor authentication where available
• Change passwords on any other accounts that shared the same credentials
• Monitor email accounts for suspicious activity or password reset attempts

Supply chain risk in shared infrastructure

This breach illustrates a structural problem. Regional ISPs often lack the budget or expertise to build and maintain their own email platforms. They contract with larger operators like KDDI, gaining economies of scale. But that concentration creates a single point of failure. When KDDI's infrastructure is breached, five other ISPs and their customers inherit the damage.

Third-party software compounds the issue. KDDI did not build the vulnerable component. It licensed or deployed software from an outside vendor. Every link in the supply chain adds attack surface. And when vendors delay patches or organizations delay applying them, attackers find their opening.

Frequently Asked Questions

How many accounts were affected by the KDDI data breach?

Up to 14.2 million email accounts may have been exposed. The figure includes current customers, former customers, and inactive accounts across KDDI and five partner ISPs.

Which ISPs were impacted by the KDDI breach?

Six ISPs in total: KDDI, STNet, JCOM, Chubu Telecommunications, NIFTY Corporation, and BIGLOBE Inc.

Were passwords encrypted in the KDDI breach?

Some passwords were hashed or encrypted, but KDDI has not disclosed the percentage or the algorithms used. Some credentials may have been stored in plaintext.

What caused the KDDI data breach?

Attackers exploited a vulnerability in third-party software running on KDDI's email infrastructure. The company has not identified the specific software or vendor.

What should I do if I'm a customer of an affected ISP?

Reset your email password immediately. Enable two-factor authentication if available. Change passwords on any other accounts where you reused the same credentials.

Source: BleepingComputer