Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: kddi (1 article)Clear

KDDI email breach affects up to 14.2 million accounts across six Japanese ISPs

Japanese telecom giant KDDI has disclosed a breach of an email platform it operates for itself and several internet service providers, potentially exposing the email addresses and passwords of up to 14.22 million mailboxes. KDDI detected the intrusion on June 17, blocked the attacker the same day, and traced the entry to a vulnerability in unnamed third-party software used by the email system. Six ISPs are affected, including JCOM, Nifty, and Biglobe, and the figure covers current, former, and inactive accounts. KDDI says some passwords were hashed or encrypted but has not said how many were stored in plaintext, and is urging all affected users to change their passwords.

Check
Customers of KDDI or the affected ISPs, including JCOM, Nifty, and Biglobe, should change their email passwords immediately and anywhere the same password was reused, and watch for phishing attempts.
Affected
Up to 14.22 million current, former, and inactive email accounts across six Japanese ISPs on KDDI's platform; exposed addresses and passwords enable account takeover, phishing, and credential stuffing where reused.
Fix
Affected users should change email passwords and any reused elsewhere, and enable multi-factor authentication. Organizations should inventory third-party software in shared platforms, patch promptly, and segment systems to limit breach scope.