Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1794+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. News
  3. Data Breach Exposes Up to 14.2 Million Email Logins at Six ISPs
Data Breach Exposes Up to 14.2 Million Email Logins at Six ISPs
NEWS

Data Breach Exposes Up to 14.2 Million Email Logins at Six ISPs

Japanese telecom giant KDDI Corporation disclosed a data breach affecting up to 14.22 million email accounts across six ISPs — including Nifty, Biglobe,...

Dylan H.

News Desk

June 28, 2026
5 min read

KDDI Email Platform Breach Affects Six Japanese ISPs

Japanese telecommunications operator KDDI Corporation has disclosed a significant data breach that exposed the email credentials of up to 14.22 million accounts across six internet service providers. The incident underscores the cascading risk of centralized infrastructure shared among multiple ISPs.


What Happened

Attackers exploited a vulnerability in third-party software embedded in KDDI's shared email infrastructure platform. Because KDDI operates a centralized email hosting system on behalf of multiple ISPs under management agreements, a single breach point cascaded across all six providers simultaneously.

Timeline

DateEvent
June 17, 2026Breach detected by KDDI
June 23, 2026Public disclosure made
June 25, 2026Nifty disables passwords for unchanged accounts
June 28, 2026Ongoing investigation and customer notifications

Affected ISPs

The breach affected email accounts managed across six providers:

ISPAffected Services
STNetPikara Hikari, Pikara Mobile, Oshigoto Pikara
KDDI Web CommunicationsCPI rental server email
JCOMJ:COM NET and associated cable TV operator services
Chubu TelecommunicationsCommufa Hikari, Business Commufa
Nifty Corporation@nifty Mail
BiglobeBIGLOBE Mail

What Data Was Exposed

The breach potentially exposed:

  • Email addresses — up to 14.22 million accounts (including inactive and cancelled accounts in the worst-case estimate)
  • Passwords — some stored in hashed or encrypted form, others potentially in weaker formats depending on the legacy system
  • Account metadata — account status, service associations

KDDI has not publicly confirmed whether plaintext credentials were exposed, but the broad scope of the disclosure and the mandatory password reset guidance suggest the risk is significant.


Why This Is Significant

The KDDI breach illustrates several compounding risks common in enterprise telecommunications environments:

Shared Infrastructure Risk

When a single platform manages email for multiple ISPs, a single vulnerability becomes a force multiplier. An attacker who compromises one component gains access to all tenants on that platform simultaneously — in this case, six distinct ISP customer bases.

Credential Reuse Threat

Even if passwords were stored in hashed form, cracking technologies have advanced significantly. MD5 and SHA-1 hashes remain trivially crackable with modern GPU-based tooling. If any customers reuse these passwords across banking, government portals, or corporate systems, the exposure extends far beyond email.

Scale of Impact in Japan

KDDI is one of Japan's three major telecom operators. The six affected ISPs collectively serve a significant portion of the Japanese residential and business internet market. The 14.22 million figure includes inactive accounts, but the active subset is still large enough to fuel large-scale credential stuffing campaigns.


KDDI's Response

Following discovery, KDDI took the following actions:

  • Modified affected systems to close the exploited vulnerability
  • Notified Japan's Personal Information Protection Commission and the Ministry of Internal Affairs and Communications as required under Japanese data protection law
  • Urged all affected customers to change email passwords immediately
  • Coordinated with ISPs to issue customer notifications

Nifty Corporation took an additional proactive step: on June 25, 2026, it disabled passwords for all @nifty Mail accounts that had not been changed since the breach deadline, forcing users to reset credentials before regaining access.


What Affected Users Should Do

If you hold an email account with any of the six affected ISPs, take these steps immediately:

  1. Change your email password — use a strong, unique password not used on any other service
  2. Enable two-factor authentication if your ISP offers it
  3. Change passwords on any other accounts where you used the same password as your ISP email
  4. Watch for phishing — attackers who have your email address may send targeted phishing messages impersonating your ISP, bank, or government services
  5. Monitor account activity — check for unexpected login attempts or sent emails you don't recognize
  6. Consider a password manager to prevent future credential reuse

Broader Implications

This breach adds to a growing pattern of attacks targeting ISP and telecommunications infrastructure globally. Earlier in 2026, US telecom operators faced congressional scrutiny over similar shared infrastructure vulnerabilities exploited by the Salt Typhoon threat group. The KDDI incident demonstrates that this is not an isolated regional problem — centralized email platforms operated on behalf of multiple ISPs represent a systemic architectural risk that attackers are actively targeting.

ISPs and telecoms operating shared infrastructure should conduct urgent third-party software audits, apply network segmentation between tenant environments, and consider zero-trust architectures that limit the blast radius of any single compromised component.


This story is developing. CosmicBytez Labs will update this article as additional details emerge from KDDI's investigation.

Related Reading

  • Salt Typhoon Senate Testimony: AT&T and Verizon Face Congressional Scrutiny
  • AT&T Breach: 176 Million Decrypted Records Resurface
  • CVE-2026-8095: WordPress Frontend File Manager Plugin Arbitrary File Deletion
#Data Breach#KDDI#Japan#ISP#Email Security#Credential Theft

Related Articles

Telco Giant KDDI Says Data Breach Affects Over 12 Million People

Japanese telecommunications giant KDDI confirmed attackers breached a shared email platform used by six ISPs, exposing 12.2 million email addresses and 7.6 million passwords via a zero-day vulnerability exploited on May 16.

4 min read

Major Japanese Telco Cyberattack Exposes 12 Million Email Accounts

A cyberattack on a major Japanese telecommunications provider compromised an email management system affecting five ISPs, exposing the accounts, webmail services, and stored email of approximately 12 million customers.

3 min read

Insurance Giant Aflac Discloses Data Breach After Subsidiary Hack

American insurance giant Aflac has disclosed a data breach impacting 4.38 million customers after attackers compromised its Japan subsidiary, stealing...

3 min read
Back to all News