City skyline with email system showing data breach

Several ISPs and Millions of Customers Compromised in KDDI’s Email System Data Breach

A data breach affecting the email system of Japanese telecommunications company KDDI Corporation has impacted five internet service providers (ISPs) and tens of millions of customers.

KDDI learned of the data breach on June 17 and responded by terminating the threat actor’s access, activating its cyber incident response protocols, and launching an investigation.

“KDDI confirmed on June 17, 2026, that some information related to email services provided by internet service providers (ISPs) through KDDI’s email system (the “System”) may have been leaked externally,” KDDI disclosed.

Multiple ISPs hacked via a third-party email system vulnerability

The investigation determined that the attacker had exploited a vulnerability in the email system and potentially accessed customers’ email addresses and passwords. However, KDDI did not say whether the security flaw was a zero-day or an unpatched known and exploited vulnerability (KEV).

ISPs that use the impacted email system and were affected by the data breach include STNet, Inc., JCOM Co., Ltd., Chubu Telecommunications C., Inc., NIFTY Corporation, and BIGLOBE Inc. The data breach also leaked the email addresses and passwords of 14.22 million current and former customers, including those with inactive or canceled accounts.

“Although technical defensive measures have already been implemented for the system, there remains a possibility that customers’ email addresses and passwords were obtained by unauthorized third parties as a result of the incident,” the company stated.

However, some passwords were stored in hashed form and cannot be readily used to access the affected customers’ inboxes. Nevertheless, the number of unencrypted account passwords and the name of the affected third-party email system were undisclosed at the time of publication.

Meanwhile, KDDI has notified the Ministry of Internal Affairs and Communications and Japan’s Personal Information Protection Commission.

The telecom giant is also assisting affected ISPs in mitigating the impact of the data breach, has patched the affected email system, and implemented additional security measures.

“It looks like KDDI Corp are responding to this breach as best they can but the nature and volume of the compromised information is of considerable concern,” said Brian Higgins, Security Specialist at Comparitech. “Email is ubiquitous in modern communications so the available data points offer all manner of opportunities for malicious actors.”

“Unfortunately third party and supply chain attacks are far more likely to succeed as most organizations are fairly used to protecting core networks these days, but the interconnectivity required to operate means that access devolves to those less aware of the dangers or less able to resource the necessary security protocols,” noted Higgins.

Affected customers should also reset their passwords and enable multifactor authentication (MFA). They should also change the passwords of other accounts that reuse the leaked login credentials. Customers whose email addresses were leaked are also at an elevated risk of phishing attacks and should be on the lookout for unsolicited emails. Subsequently, they should avoid clicking on suspicious links in emails or downloading attachments.

“A big breach of email accounts and passwords like this is much more serious than most data breaches. Email accounts are often what we use to log into other accounts,” said Paul Bischoff, Consumer Privacy Advocate at Comparitech. “We use email to verify new accounts, log in, change passwords, receive one-time codes, and recover other accounts. So a breach of an email account can lead to several more accounts being hijacked. Furthermore, cybercriminals can use hacked email accounts to spread scams, phishing, and spam. And of course, all of the information stored in your emails is at risk.”

Hackers continue to target email systems

Email systems contain troves of personal information, making them attractive targets for cybercriminals. Many major email systems have been targeted, leaking billions of sensitive records.

In 2021, hackers breached over 250,000 on-premises Microsoft Exchange Servers worldwide by exploiting zero-day vulnerabilities CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065. Financially motivated hackers exploited the zero-day vulnerabilities to install ransomware, while Chinese state-sponsored actors leveraged the security flaws for cyber espionage.

Similarly, between January 1, 2019 and March 28, 2019, hackers breached customer Microsoft Outlook after compromising support accounts. Hackers have also targeted Gmail, Proton Mail, Tutanota, and Zoho Mail via phishing attacks to steal login credentials.

Between 2013 and 2014, a massive Yahoo Mail data breach compromised billions of user accounts, exposing troves of sensitive information. In 2014, AOL also suffered a data breach that compromised a small percentage of user accounts, some of which were used for illicit activities.