Japan's second-largest telecommunications carrier, KDDI Corporation, confirmed on June 23, 2026 that unauthorized access to an email platform it operates on behalf of internet service providers may have exposed the credentials of up to 14.22 million customers. The company first detected the potential external data leak on June 17, 2026, and disclosed that attackers exploited a vulnerability in third-party software embedded within the email system. The compromised data spans active accounts, dormant accounts, and even users who had previously cancelled their service, affecting customers across six separate ISPs.
What Happened
According to KDDI's official press release dated June 23, 2026, the company confirmed on June 17 that the shared email system it supplies to multiple ISPs had been subjected to unauthorized access. On the same day it detected the intrusion, KDDI modified the system to contain the damage, identified the point of compromise, and implemented technical defensive measures.
KDDI's investigation determined that the attacker exploited a vulnerability in third-party software used within the email platform. Because the platform is a shared backend service supplied to several providers, a single point of compromise cascaded across all six ISPs that rely on it. The company stated it is continuing to investigate the full scope of impact and has begun reporting to and consulting with Japan's Personal Information Protection Commission and the Ministry of Internal Affairs and Communications, in line with relevant laws and regulations.
The six affected ISPs and their associated email services are:
- STNet, Inc.: email services for Pikara Hikari, Pikara Mobile, and Oshigoto Pikara
- KDDI Web Communications Inc.: email services for the CPI rental server
- JCOM Co., Ltd.: email services for J:COM NET and cable television operator mail
- Chubu Telecommunications Co., Inc.: email services for Commufa Hikari and Business Commufa
- Nifty Corporation: @nifty Mail
- BIGLOBE Inc.: BIGLOBE Mail
Several of these are among Japan's most widely used consumer and business internet providers, meaning the exposure reaches well beyond a single regional customer base.
What Was Taken
The leaked data consists of customer email-related information required to use the email services, specifically email addresses and passwords tied to those accounts. KDDI placed the upper bound of potentially affected accounts at 14.22 million.
Three categories of accounts were caught in the exposure: active accounts in current use, dormant accounts that remain provisioned but unused, and accounts belonging to customers who had cancelled their service at some point in the past. The inclusion of cancelled and dormant accounts is notable. It indicates the breached system retained credential data long after accounts stopped being actively serviced, expanding the pool of exposed records and the window of historical liability.
The pairing of email addresses with passwords is the most sensitive element. Unlike a breach of addresses alone, exposed credential pairs are immediately actionable for account takeover and downstream abuse.
Why It Matters
This incident is significant for defenders on three fronts. First, scale: 14.22 million credential pairs represent one of the larger telecom-linked exposures in the Japanese market, and the affected providers collectively serve a substantial share of the country's consumer and business internet users.
Second, the shared-platform architecture is the core lesson. KDDI operates a single email backend leased to six independent ISPs. One vulnerability in that shared system simultaneously exposed customers of all six brands, none of whom chose KDDI's platform directly. This is a textbook supply chain and concentration risk: end customers had no visibility into the upstream provider whose software flaw exposed them.
Third, the data type drives the threat. Email and password combinations feed directly into credential-stuffing campaigns, given how frequently users reuse passwords across services. Even accounts that are dormant or cancelled remain dangerous, because the credentials may still unlock other services where the same email and password were reused. Defenders should treat this as a credential-exposure event with a long tail, not a contained one-time leak.
The Attack Technique
KDDI attributes the intrusion to exploitation of a vulnerability in third-party software running inside the email system. The company has not publicly named the specific software component or the vulnerability class as of this disclosure, and no threat actor has been attributed.
The disclosure timeline indicates rapid containment relative to detection: KDDI says it confirmed the unauthorized access and modified the system to stop further damage on the same day, June 17, then identified the point of compromise and applied technical defenses. The dependence on a third-party software flaw places this incident in the well-worn pattern of attackers targeting widely deployed software components rather than the operator's own custom code, then leveraging that foothold to reach the customer data the platform stores.
What Organizations Should Do
- Reset and rotate credentials for any account on the affected services (Pikara, CPI, J:COM NET, Commufa, @nifty Mail, BIGLOBE Mail, and associated mail), and force password changes for dormant and cancelled accounts that still exist in your systems.
- Treat the exposed email and password pairs as live credential-stuffing fuel. Hunt for unusual login patterns, credential-reuse attempts, and spikes in authentication failures across your own services, especially if your users overlap with these ISPs.
- Enable multi-factor authentication everywhere it is available, and prioritize it for any account whose recovery address is one of the affected mail domains.
- Audit third-party and embedded software components in your own platforms. This breach began in a leased software dependency; maintain a current software inventory, track upstream advisories, and patch known vulnerabilities in shared backend systems quickly.
- Review data retention policies for inactive and cancelled accounts. Credentials retained long after service ends expand the blast radius of any breach; purge or strongly hash and isolate data you no longer need.
- If you operate or resell shared platform services, map your concentration risk and ensure contractual breach-notification and incident-response obligations with upstream suppliers are explicit and tested.
Sources: KDDI Data Breach 2026: 14.22 Million Email Records Exposed | The CyberSec Guru