KDDI, one of Japan's three largest telecommunications providers, confirmed on Monday that a cyberattack against an email platform it operates for internet service providers exposed more than 12.2 million customer email addresses and 7.6 million passwords. The company first disclosed unauthorized access in June but only confirmed the scale after completing a forensic investigation and filing a report with Japan's communications ministry earlier this week.
What Happened
KDDI operates a shared email platform that manages customer email accounts, webmail services and email storage on behalf of five separate Japanese internet service providers. Attackers gained unauthorized access to this platform by exploiting a vulnerability in third-party software used to run it.
The company says it detected the intrusion in June, immediately patched the flaw and modified the affected system. After forensic analysis, investigators reported finding no evidence that the attackers moved beyond the exploited vulnerability into other systems. KDDI's own consumer email services for its mobile and fixed-line internet subscribers run on separate infrastructure and were not affected.
The affected ISPs are now completing mandatory password resets. KDDI noted that many active email users have already changed their passwords voluntarily, and that remaining resets will be enforced in the coming days.
What Was Taken
The confirmed exposure covers two categories of highly sensitive data:
- More than 12.2 million customer email addresses
- More than 7.6 million passwords
The gap between the two figures suggests not every exposed account had an associated password compromised, but the scale on both counts is severe. Email addresses paired with passwords are immediately actionable for credential stuffing, account takeover and highly targeted phishing. Because the platform handled webmail and email storage, attackers with valid credentials could potentially access the contents of victim inboxes, not just the account shells.
Why It Matters
This breach illustrates the concentrated risk of shared, multi-tenant infrastructure. A single email platform served five ISPs, meaning one compromised vendor system cascaded into millions of exposed accounts across multiple downstream brands. Defenders should treat any provider that aggregates identity or messaging services for multiple clients as a high-value single point of failure.
The incident also arrives during a visible cluster of cyber activity affecting major Japanese organizations, including the Japanese unit of Aflac, electronics manufacturer Nidec and brewer Sapporo Holdings. There is no indication these events are linked, but the pattern signals sustained pressure on large Japanese enterprises and their supply chains. Email credentials at this volume feed directly into follow-on fraud campaigns that can persist for months after the original breach is closed.
The Attack Technique
According to KDDI, the attackers exploited a vulnerability in third-party software that the email platform depended on. This is a classic supply-chain-adjacent failure: the telecom's own perimeter was not the initial weakness, but a component it inherited from an external vendor.
KDDI has not publicly named the vulnerable software or the specific CVE. The company reports the intrusion was contained to the exploited flaw, with no observed lateral movement, and that the underlying vulnerability was patched immediately upon detection. The speed of disclosure to regulators, followed weeks later by confirmed impact figures, is consistent with a genuine forensic timeline rather than a rushed public statement.
What Organizations Should Do
- Inventory third-party and open-source components in any customer-facing platform, and subscribe to vendor security advisories so patchable flaws are caught before exploitation.
- Enforce password resets for any credential set that may have been exposed, and require multi-factor authentication on email and webmail to blunt credential-stuffing reuse.
- Monitor for credential-stuffing and account-takeover attempts across all downstream brands sharing the same infrastructure, not just the tenant where the breach was found.
- Segment multi-tenant platforms so that a single exploited component cannot expose the full customer base, and validate that logging captures cross-tenant access.
- Prepare customers directly for targeted phishing that leverages leaked email addresses, since attackers will impersonate the provider and the affected ISPs during the reset window.
- Rehearse the regulator-notification and forensic-disclosure workflow now, so that scope can be confirmed and communicated quickly when an incident does occur.
Sources: Major Japanese telco says cyberattack exposed 12 million emails | The Record