Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1794+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. News
  3. Telco Giant KDDI Says Data Breach Affects Over 12 Million People
Telco Giant KDDI Says Data Breach Affects Over 12 Million People
NEWS

Telco Giant KDDI Says Data Breach Affects Over 12 Million People

Japanese telecommunications giant KDDI confirmed attackers breached a shared email platform used by six ISPs, exposing 12.2 million email addresses and 7.6 million passwords via a zero-day vulnerability exploited on May 16.

Dylan H.

News Desk

July 8, 2026
4 min read

Overview

Japan's second-largest telecommunications carrier, KDDI Corporation, has confirmed a significant data breach that exposed the email credentials of over 12 million customers across six internet service providers (ISPs). The breach, originally detected on June 17, 2026, was traced back to initial compromise on May 16 — over a month before discovery — via a zero-day vulnerability in unnamed third-party software embedded in KDDI's shared email infrastructure.

The final confirmed figures, published in KDDI's July 6 report to Japan's Ministry of Internal Affairs and Communications, stand at 12,233,087 email addresses and 7,616,173 passwords exposed. Earlier estimates had placed potential exposure as high as 14.22 million credentials.

The Breach Timeline

DateEvent
May 16, 2026Attackers exploit zero-day in third-party email platform software
June 17, 2026KDDI detects unauthorized access; blocks attacker; notifies ISPs and regulators
June 23, 2026Forensic audit confirms vulnerability patched; no other security issues found
June 23–28Public disclosure and media coverage begin
July 6, 2026KDDI submits report to Ministry of Internal Affairs and Communications with final figures
~August 202660-day final APPI report deadline

Affected ISPs

KDDI operates a shared email infrastructure for multiple ISP partners. The following six providers were affected:

  • STNet
  • KDDI Web Communications
  • JCOM
  • Chubu Telecommunications (Commufa)
  • Nifty Corporation (NIFTY)
  • BIGLOBE

KDDI confirmed its directly operated services — au mail, UQ mobile mail, and au one net mail — run on separate infrastructure and were not affected.

Attack Vector: Zero-Day Exploitation

KDDI attributed the breach to a zero-day vulnerability in third-party software integrated into the shared email platform. In its official disclosure, the company stated:

"As a result of our investigation, as of June 17, 2026, the date of our confirmation, this vulnerability was not recognized by the software vendor."

The attack is mapped to MITRE ATT&CK technique T1190 (Exploit Public-Facing Application). KDDI has declined to name the vulnerable software or its vendor. The company said it has no confirmed secondary damage (account hijacking, fraud) stemming from the breach as of the report date.

Password Storage Concerns

KDDI noted that some passwords were stored in hashed or encrypted form, but the company did not specify:

  • How many passwords were stored in plaintext vs. hashed
  • What hashing algorithm or encryption standard was used for protected accounts

This ambiguity means affected users should treat all exposed credentials as compromised.

KDDI's Response

Following discovery, KDDI took several immediate and longer-term actions:

  1. Blocked the attacker and implemented technical countermeasures on June 17
  2. Notified all six ISP partners and Japanese regulatory bodies on the same day
  3. Deployed EDR (Endpoint Detection and Response) software across affected systems
  4. Conducted forensic audit — completed June 23; confirmed no residual vulnerabilities
  5. Submitted ministerial report to the Ministry of Internal Affairs and Communications by July 6
  6. Is working with ISPs to forcibly reset passwords for all affected users

For future prevention, KDDI announced plans to introduce AI-powered analysis of software design documents and program code to proactively identify potential vulnerabilities in vendor integrations.

Regulatory Implications

The breach triggers obligations under Japan's Act on the Protection of Personal Information (APPI). Under the amended APPI:

  • A preliminary report must be filed with the Personal Information Protection Commission "promptly" — typically within 3–5 days of discovery
  • A final report is due within 60 days — placing KDDI's deadline around mid-August 2026
  • Non-compliance can result in fines of up to ¥100 million (~$700,000 USD) and potential criminal prosecution

This incident is the first KDDI breach to include passwords alongside email addresses, making it categorically more serious than any previous KDDI security incident.

What Affected Users Should Do

If you use any of the six affected ISPs, take these steps immediately:

  1. Reset your email password — do not wait for ISP notification
  2. Enable two-factor authentication on your email account if available
  3. Check for password reuse — if you used the same password on other services, change those too
  4. Monitor accounts for unusual login activity or unexpected password reset requests
  5. Be alert for phishing — threat actors may use exposed email addresses for targeted phishing campaigns

References

  • BleepingComputer: Telco giant KDDI says data breach affects over 12 million people
  • Security Affairs: KDDI data breach impacts up to 14.2 million email accounts
  • Japan Times: 12 million email addresses and 7 million passwords breached in KDDI cyberattack
#Data Breach#Japan#Telecom#Zero-Day#KDDI

Related Articles

Major Japanese Telco Cyberattack Exposes 12 Million Email Accounts

A cyberattack on a major Japanese telecommunications provider compromised an email management system affecting five ISPs, exposing the accounts, webmail services, and stored email of approximately 12 million customers.

3 min read

Data Breach Exposes Up to 14.2 Million Email Logins at Six ISPs

Japanese telecom giant KDDI Corporation disclosed a data breach affecting up to 14.22 million email accounts across six ISPs — including Nifty, Biglobe,...

5 min read

Insurance Giant Aflac Discloses Data Breach After Subsidiary Hack

American insurance giant Aflac has disclosed a data breach impacting 4.38 million customers after attackers compromised its Japan subsidiary, stealing...

3 min read
Back to all News