Japanese telecommunications operator KDDI has disclosed a major data breach potentially affecting up to 14.22 million email accounts across six internet service providers, making it one of the largest cybersecurity incidents in Japan this year.
KDDI said it detected unauthorized access to its managed email system on June 17, 2026, and contained the intrusion the same day. The breach was not discovered through an external report, KDDI’s own security monitoring identified the suspicious activity and blocked further access.
The attacker exploited vulnerabilities in third-party software integrated into the email platform, according to KDDI’s investigation. This allowed the threat actor to access credentials linked to user mailboxes across providers that rely on KDDI’s infrastructure.
The six affected ISPs are STNet, KDDI Web Communications, JCOM, Chubu Telecommunications, Nifty Corporation, and BIGLOBE. Services impacted include Pikara Hikari, J:COM NET, Commufa Hikari, @nifty Mail, and BIGLOBE Mail, among others.
The exposed data includes email addresses and passwords. KDDI said the passwords were hashed and encrypted, limiting the immediate risk of direct account compromise but noting that phishing and identity theft remain concerns. Email content may also have been accessed.
KDDI has reported the incident to Japan’s Personal Information Protection Commission and the Ministry of Internal Affairs and Communications. The company has urged affected users to change their passwords immediately and is coordinating with the six ISPs on customer notifications and password resets.
The breach follows a pattern of cyberattacks targeting shared infrastructure in the telecommunications sector. Security researchers noted that compromises of third-party software platforms can amplify the impact of a single vulnerability across multiple downstream providers.
KDDI said it has strengthened its defenses and implemented additional protective measures after identifying the entry point used by the attacker. The identity of the threat actor remains unknown, and investigations are ongoing.
Sources: Data breach exposes up to 14.2 million email logins at six ISPs (BleepingComputer, June 28, 2026); KDDI Data Breach Impacts up to 14.2 Million Email Accounts at Six ISPs (Security Affairs, June 28, 2026)