A quiet June disclosure turns into a massive data dump
When KDDI first acknowledged a security incident in June, the company gave few details. Now the numbers are out — and they are staggering. On Monday, one of Japan’s three largest telecom providers confirmed that a cyberattack on an email platform exposed more than 12.2 million customer email addresses and roughly 7.6 million passwords.
The breach hit an email system that five Japanese internet service providers (ISPs) use to manage customer accounts, webmail, and email storage. KDDI said the attackers exploited a vulnerability in third-party software powering that platform. The company patched the flaw and modified the system immediately after detecting the intrusion.
Investigators found no evidence the attackers moved beyond that single vulnerability. Still, the scale is hard to ignore: 12.2 million email addresses and 7.6 million passwords is one of the largest credential exposures in Japanese telecom history.
What was actually compromised?
The exposed data includes email addresses and passwords for customers of five unnamed ISPs that rely on KDDI’s backend email platform. The company stressed that its own consumer email services for mobile and fixed-line internet customers run on separate infrastructure and were not affected.
KDDI said many affected users have already changed their passwords. The ISPs involved are working to complete mandatory password resets in the coming days.
- 12.2 million email addresses exposed
- 7.6 million passwords leaked
- Five Japanese ISPs affected
- KDDI’s own consumer email services untouched
How the attackers got in
The entry point was a vulnerability in third-party software. KDDI did not name the vendor or the specific software, but the company said it patched the flaw as soon as it was discovered. The telco submitted a detailed report to Japan’s communications ministry earlier this week, which confirmed the full scope of the breach.
“We are analyzing the scope of the impact and the cause, responding to customers in coordination with ISP operators, and taking measures to prevent a recurrence,” KDDI said in a statement.
The company’s forensic investigation found no signs of lateral movement. That suggests the attack was contained to the email platform itself. Still, with millions of passwords in the open, the risk of credential stuffing and phishing attacks is real. Security experts recommend that affected users enable two-factor authentication wherever possible and avoid reusing passwords across services.
Japan’s rough summer of cyberattacks
The KDDI data breach is not an isolated event. Japanese companies have reported a string of cyber incidents in recent weeks. The Japanese unit of Aflac, electronics manufacturer Nidec, and brewer Sapporo Holdings have all disclosed breaches or cyber-related disruptions. There is no evidence these incidents are connected.
Separately, Tokyo police this week arrested a 15-year-old high school student on suspicion of exploiting a vulnerability in the servers of Bandai Channel, an anime streaming service. The teenager is accused of fraudulently canceling more than 46,000 user subscriptions. That case appears unrelated to the KDDI attack, but it underscores the breadth of threats facing Japanese digital infrastructure.
What KDDI customers should do now
If you use an email service provided by one of the five affected ISPs, assume your credentials were leaked. KDDI says password resets are underway, but users should not wait.
Take these steps immediately:
- Change your email password right away — do not wait for the ISP to force a reset.
- If you reused that password anywhere else, change it there too.
- Enable two-factor authentication on your email account.
- Watch for phishing emails that reference the breach. Attackers often use stolen email lists to send targeted scams.
KDDI is Japan’s second-largest mobile network operator and a major player in broadband, cloud computing, cybersecurity, and data center services. The company has not said whether it will offer credit monitoring or identity theft protection to affected users.
For a broader look at how telecom giants handle security incidents, check out our coverage of major telecom data breaches and best practices for password hygiene after a leak.