KDDI Corporation experienced a data breach due to exploitation of a vulnerability in third-party software on an email system shared with five other Japanese ISPs. The breach may have exposed up to 14.2 million email logins, including addresses and passwords. The incident was discovered on June 17, 2026, and KDDI promptly blocked the attacker and implemented defensive measures. While some passwords were hashed or encrypted, the company did not specify the encryption methods or the proportion of plaintext passwords. The breach affects multiple ISPs: STNet, JCOM, Chubu Telecommunications, NIFTY, and BIGLOBE. KDDI has notified relevant Japanese authorities and is collaborating with affected ISPs to mitigate risks. Customers are recommended to reset passwords and enable 2FA if available.

Potential exposure of up to 14.2 million email addresses and passwords from six ISPs in Japan, including current, former, and inactive accounts. This could lead to unauthorized access to email accounts if plaintext passwords were obtained. The exact extent of password exposure and encryption status is unclear, limiting the ability to assess the full impact. The breach affects multiple major ISPs, potentially impacting a large user base.

KDDI has already blocked the attacker and implemented defensive measures on the affected system. Customers potentially impacted are advised to reset their email account passwords immediately and enable two-factor authentication if available. KDDI is working with affected ISPs and Japanese regulatory authorities to implement additional security controls. Patch status for the exploited third-party software is not disclosed; therefore, check vendor advisories for updates. No further specific mitigations are provided by KDDI at this time.