KDDI has revealed that attackers compromised an email platform used by five internet service providers in Japan, exposing millions of customers’ email addresses and passwords after exploiting a previously unknown software vulnerability.
The company, Japan’s second-largest mobile telecommunications provider, said it detected the breach on June 17 and immediately blocked the attackers’ access while implementing security measures. The incident affected email services used by STNet, JCOM, Chubu Telecommunications, NIFTY Corporation, and BIGLOBE.
According to KDDI, the breach may have exposed the email addresses and passwords of up to 14.22 million current, former, and inactive account holders. The company said some passwords were stored in hashed or encrypted form, making them more difficult for attackers to misuse, but it did not disclose how many passwords were protected this way or whether any were stored in plain text.
In an update published on July 6, KDDI said its investigation found that the attackers first gained access to the platform on May 16 by exploiting a zero-day vulnerability in third-party software. The company noted that the software vendor was unaware of the flaw when the attack occurred and has since reported the vulnerability to the relevant authorities while preparing a public disclosure.
The investigation determined that attackers accessed the email addresses of 12,233,087 users and the passwords of 7,616,173 accounts.
KDDI is now working with affected internet service providers to secure impacted accounts. Many customers who actively use their email services have already changed their passwords, while ISPs are enforcing mandatory password resets for customers who rarely access their accounts to reduce the risk of unauthorized access.
Following the incident, KDDI deployed Endpoint Detection and Response (EDR) tools across its environment to improve its ability to detect future attacks. The company also said a forensic review completed on June 23 confirmed that the exploited vulnerability had been addressed and found no evidence of additional security issues on the affected systems.
KDDI has notified Japan’s Personal Information Protection Commission and the Ministry of Internal Affairs and Communications about the breach and is continuing to work with the affected ISPs to strengthen security and reduce the potential impact on customers.





