Data breach exposes up to 14.2 million email logins at six ISPs
Home<br>News<br>Security<br>Data breach exposes up to 14.2 million email logins at six ISPs
Data breach exposes up to 14.2 million email logins at six ISPs
By Bill Toulas
June 28, 2026
10:13 AM
Japanese telecommunications operator KDDI Corporation disclosed a data breach where threat actors gained access to one of its email systems used by five other internet service providers (ISPs) in the country.
The company says that it discovered the compromise on June 17 and responded immediately by blocking the attacker and implementing defense measures.
The investigation determined that the hackers exploited a vulnerability in an unnamed third-party software that KDDI Corporation used on its system.
“Although technical defensive measures have already been implemented for the system, there remains a possibility that customers' email addresses and passwords were obtained by unauthorized third parties as a result of the incident,” KDDI warns.
Scale of exposure
KDDI is one of Japan’s largest ISPs, with 45,000 employees and an annual revenue of $32.4 billion. It is a public entity that has operated since 2000, following the merger of IDO, DDI, and KDD, Japan's former state-monopoly international telecommunications provider.
The company says that the incident impacted the following five ISP operators and their email services:
STNet, Inc.
JCOM Co., Ltd.
Chubu Telecommunications C., Inc.
NIFTY Corporation
BIGLOBE Inc.
Although the investigation into the incident is still underway and the exact number of impacted accounts has yet to be determined, KDDI said it may have exposed the email addresses and passwords of up to 14,22 million customers.
This figure includes current and former customers, as well as inactive accounts that may no longer be in use.
Another mitigating factor, according to KDDI, is that some passwords were stored in hashed and/or encrypted form, meaning that they cannot be readily abused for account hijacks even if exposed.
However, KDDI did not specify what type of encryption was used or what percentage of accounts had passwords stored in plaintext.
KDDI says it has been contacting affected ISPs since June 17 and has also notified Japan's Personal Information Protection Commission and the Ministry of Internal Affairs and Communications.
The company is currently working with affected ISPs to implement additional security measures to mitigate the risks arising from this exposure.
Meanwhile, customers who may have been exposed are advised to reset their email account passwords as soon as possible. If two-factor authentication (2FA) is available, it would be prudent to set it up as well for additional protection.
Test every layer before attackers do
Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.<br>The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.
Get the whitepaper
Related Articles:
Japanese energy firm loses drive with data of 10.9 million clients<br>Webinar: Why business email compromise attacks keep succeeding<br>LastPass confirms data breach in Klue supply chain attack<br>Healthtech firm Xolis suffers data breach impacting 1.4 million people<br>Webinar: Why email security teams are drowning in alerts
Data Breach
Email Address
ISP
Japan
Bill Toulas
Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks.
Previous Article
Next Article
Post a Comment Community Rules
You need to login in order to post a comment
Not a member yet? Register Now
You may also like:
Upcoming Webinar
Popular Stories
FBI: Russian hackers now target Signal backup recovery keys
CISA sets urgent deadline to fix Cisco flaw exploited in attacks
Polymarket customers lose $3 million in supply-chain attack
Sponsor Posts
Build a GRC agent in minutes, no code. Get early access to Agent Studio.
VOIP Detection with Phone.com and IPQS
Prove any CVE is exploitable without firing an exploit. Read the TTP-chaining guide.
See how Pixellot discovered and secured hundreds of unmanaged AI agent identities in weeks, not months. Read the case study.
Overdue a password health-check? Audit your Active Directory for free
Upcoming Webinar
Login
Username
Password
Remember Me
Sign in anonymously
Sign in with Twitter
Not a member yet? Register Now
Reporter
Help us understand the problem. What is going on with this comment?
Spam
Abusive or Harmful
Inappropriate content
Strong language
Other
Read our posting guidelinese to learn what content is prohibited.
Submitting...
SUBMIT