Overview
Japan's second-largest telecommunications carrier, KDDI Corporation, has confirmed a significant data breach that exposed the email credentials of over 12 million customers across six internet service providers (ISPs). The breach, originally detected on June 17, 2026, was traced back to initial compromise on May 16 — over a month before discovery — via a zero-day vulnerability in unnamed third-party software embedded in KDDI's shared email infrastructure.
The final confirmed figures, published in KDDI's July 6 report to Japan's Ministry of Internal Affairs and Communications, stand at 12,233,087 email addresses and 7,616,173 passwords exposed. Earlier estimates had placed potential exposure as high as 14.22 million credentials.
The Breach Timeline
| Date | Event |
|---|---|
| May 16, 2026 | Attackers exploit zero-day in third-party email platform software |
| June 17, 2026 | KDDI detects unauthorized access; blocks attacker; notifies ISPs and regulators |
| June 23, 2026 | Forensic audit confirms vulnerability patched; no other security issues found |
| June 23–28 | Public disclosure and media coverage begin |
| July 6, 2026 | KDDI submits report to Ministry of Internal Affairs and Communications with final figures |
| ~August 2026 | 60-day final APPI report deadline |
Affected ISPs
KDDI operates a shared email infrastructure for multiple ISP partners. The following six providers were affected:
- STNet
- KDDI Web Communications
- JCOM
- Chubu Telecommunications (Commufa)
- Nifty Corporation (NIFTY)
- BIGLOBE
KDDI confirmed its directly operated services — au mail, UQ mobile mail, and au one net mail — run on separate infrastructure and were not affected.
Attack Vector: Zero-Day Exploitation
KDDI attributed the breach to a zero-day vulnerability in third-party software integrated into the shared email platform. In its official disclosure, the company stated:
"As a result of our investigation, as of June 17, 2026, the date of our confirmation, this vulnerability was not recognized by the software vendor."
The attack is mapped to MITRE ATT&CK technique T1190 (Exploit Public-Facing Application). KDDI has declined to name the vulnerable software or its vendor. The company said it has no confirmed secondary damage (account hijacking, fraud) stemming from the breach as of the report date.
Password Storage Concerns
KDDI noted that some passwords were stored in hashed or encrypted form, but the company did not specify:
- How many passwords were stored in plaintext vs. hashed
- What hashing algorithm or encryption standard was used for protected accounts
This ambiguity means affected users should treat all exposed credentials as compromised.
KDDI's Response
Following discovery, KDDI took several immediate and longer-term actions:
- Blocked the attacker and implemented technical countermeasures on June 17
- Notified all six ISP partners and Japanese regulatory bodies on the same day
- Deployed EDR (Endpoint Detection and Response) software across affected systems
- Conducted forensic audit — completed June 23; confirmed no residual vulnerabilities
- Submitted ministerial report to the Ministry of Internal Affairs and Communications by July 6
- Is working with ISPs to forcibly reset passwords for all affected users
For future prevention, KDDI announced plans to introduce AI-powered analysis of software design documents and program code to proactively identify potential vulnerabilities in vendor integrations.
Regulatory Implications
The breach triggers obligations under Japan's Act on the Protection of Personal Information (APPI). Under the amended APPI:
- A preliminary report must be filed with the Personal Information Protection Commission "promptly" — typically within 3–5 days of discovery
- A final report is due within 60 days — placing KDDI's deadline around mid-August 2026
- Non-compliance can result in fines of up to ¥100 million (~$700,000 USD) and potential criminal prosecution
This incident is the first KDDI breach to include passwords alongside email addresses, making it categorically more serious than any previous KDDI security incident.
What Affected Users Should Do
If you use any of the six affected ISPs, take these steps immediately:
- Reset your email password — do not wait for ISP notification
- Enable two-factor authentication on your email account if available
- Check for password reuse — if you used the same password on other services, change those too
- Monitor accounts for unusual login activity or unexpected password reset requests
- Be alert for phishing — threat actors may use exposed email addresses for targeted phishing campaigns