KDDI Data Breach: 14.2 Million ISP Email Logins Exposed in Japan

A breach at KDDI exposed up to 14.2 million email logins across six Japanese ISPs. Here is how one software flaw triggered a cascade and why it matters.

Govern Identity Before Credentials Become Impact
  • June 29, 2026

Just one vulnerability in the email system employed by KDDI resulted in the compromise of up to 14.2 million email login credentials from six different Japanese Internet Service Providers. The KDDI breach reported at the end of June 2026 is certainly one of the biggest exposure incidents that have happened in Japan so far.

One Flaw, Six Providers Hit at Once

KDDI runs a common email system used by several internet service providers. Therefore, when attackers slipped through, the damage spread far beyond a single company. The affected services include:

  • STNet (Pikara mail)
  • KDDI Web Communications (CPI rental-server mail)
  • JCOM (J:COM NET mail)
  • Chubu Telecommunications (Commufa mail)
  • Nifty (@nifty Mail)
  • BIGLOBE (BIGLOBE Mail)

Notably, KDDI’s own au and UQ mobile mail ran on separate systems. As a result, those consumer accounts stayed untouched. The intrusion instead struck the shared backbone, which explains the unusually wide blast radius.

Inside the Timeline of a Fast Response

KDDI identified the breach on June 17, 2026. The company changed the system, discovered the probable point of entry, and installed preventive techniques on the same day. Thereafter, it started informing each of the affected service providers sequentially.

Announcement was made on June 23. In the meantime, Nifty had been aggressive. They instructed @nifty Mail users to change their passwords before June 25. Afterwards, they started disabling passwords that did not change till the following day.

KDDI Breach – 14.2M Email Credentials Exposed Across Six Japanese ISPs
Shared Email System Breach · Japan

THE KDDI BREACH

Email Logins Exposed
14.2M
INCIDENT: KDDI_SHARED_EMAIL_SYSTEM
IMPACT: 6_JAPANESE_ISPs
STATUS: DISCLOSED // JUNE_2026
A single vulnerability in KDDI’s shared email system exposed up to 14.2 million email login credentials across six Japanese internet service providers at once. Disclosed at the end of June 2026, it is one of the largest exposure incidents Japan has seen.
DISCOVERED: 2026-06-17
DISCLOSED: 2026-06-23
AU / UQ MOBILE MAIL: UNAFFECTED
Breach At A Glance
14.2M
Credentials
Email addresses and passwords exposed across the shared system
6
ISPs Hit
One flaw cascaded to six providers on KDDI’s shared backbone
Unclear
Password Safety
KDDI says passwords were “including” hashed/encrypted, with no plaintext ratio given
~46%
Of Japan’s 2025 Total
Of the ~30.6M people exposed by listed Japanese firms across 180 breaches in 2025
One Flaw, Six Providers Hit At Once

KDDI runs a common email system used by several ISPs, so when attackers slipped through, the damage spread far beyond a single company. The affected services include STNet (Pikara mail), KDDI Web Communications (CPI), JCOM (J:COM NET), Chubu Telecommunications (Commufa), Nifty (@nifty Mail), and BIGLOBE. KDDI’s own au and UQ mobile mail ran on separate systems and stayed untouched.

KDDI identified the breach on June 17, 2026, changed the system, found the probable entry point, and added preventive measures the same day, then notified providers and announced publicly on June 23. Nifty moved aggressively, telling @nifty Mail users to change passwords before June 25 and disabling those left unchanged afterward.

What Stolen Email Logins Become
  • Credential stuffing: reused passwords brute-forced against accounts on other websites.
  • Phishing: campaigns impersonating KDDI and its ISP brands to trick more victims.
  • Account takeover & BEC: hijacked mailboxes used for business email compromise.
  • Password resets: pivoting into banking and cloud accounts, with password reuse silently spreading the damage.

The Password Question Nobody Will Answer

The really frightening part is here. The company KDDI confirmed that the data breach had involved email addresses and passwords. Yet, these passwords were qualified as being “including” hashed or encrypted ones.

It is crucial to understand why it is formulated like that:

  • No claim about all passwords being secured.
  • No split ratio for hashing versus plaintext.
  • Nothing about inability of plaintext storage.

Thus, customers can hardly estimate their own security. Even if some small share of these 14.2 million passwords have been stored in plaintext, the danger becomes an actual one.

How Shared Email Systems Multiply Damage

Shared infrastructure delivers efficiency, yet it also concentrates risk. One vulnerability in third-party software became a problem for six brands simultaneously. Furthermore, systems managed outside an organization often suffer slower detection.

KDDI still has not named the flawed software or any CVE. Because of that silence, other providers running the same product cannot easily check their own exposure. This opacity weakens the wider industry, not only KDDI’s customers.

What Stolen Email Logins Become Next

They make for an easy target since they can reset everything else. Once they get exposed, they can be used for multiple exploits:

  • Credential stuffing, where the passwords are used for brute-forcing accounts on different websites
  • Phishing campaigns impersonating KDDI and its service providers
  • Taking over accounts and performing business email compromise
  • Password resets to banking and cloud accounts

The danger multiplies with password reuse. As such, once a password is obtained from one ISP, other accounts may be compromised silently.

Japan’s Credential Crisis Keeps Growing

The numbers elsewhere look equally alarming. In November 2025, Have I Been Pwned absorbed nearly 2 billion unique email addresses from one massive credential-stuffing dataset. Against that backdrop, 14.2 million fresh logins hand attackers plenty of new ammunition.

Japan’s own figures reinforce the trend. Listed Japanese firms reported 180 breach cases in 2025, exposing data on about 30.6 million people. Strikingly, the KDDI incident alone accounts for nearly half that yearly total.

Conclusion: When One Shared System Exposes Millions

The KDDI breach shows how quickly shared infrastructure can turn one software flaw into a multi-provider credential crisis. A single email system used across six Japanese ISPs may have exposed up to 14.2 million email logins, including addresses and passwords tied to active and inactive accounts.

That is the real danger. The breach did not need to hit every provider separately. One shared backbone created one shared blast radius.

Why This Threat Matters

Email credentials are not ordinary records. They are keys to identity, password resets, cloud accounts, banking portals, business communication, and future fraud.

  • Stolen email logins can fuel credential stuffing
  • Reused passwords can expose unrelated accounts
  • Compromised mailboxes can enable phishing and BEC
  • Password reset abuse can open access to banking and cloud services
  • Unclear password protection creates uncertainty for affected users
  • Shared infrastructure multiplies risk across multiple brands at once

For ISPs, telecom providers, and managed service environments, the lesson is clear. Efficiency without control can turn one vulnerable system into millions of exposed users.

Where Xcitium Changes the Outcome

This type of breach requires layered control, visibility before exposure, identity protection after credential risk, and Execution Governance if access becomes activity inside the environment.

Xcitium Vulnerability Assessment helps organizations identify vulnerable services, exposed systems, risky configurations, and patch gaps before one software weakness becomes a shared infrastructure incident.

Xcitium ITDR strengthens the identity layer when exposed credentials are reused against mailboxes, cloud accounts, privileged systems, or business applications.

And if attackers use stolen access to run tools, scripts, payloads, or lateral movement activity, Xcitium Advanced EDR, powered by Xcitium’s patented Zero-Dwell platform, applies Execution Governance.

Unknown code does not receive unrestricted execution rights.
Code can run without being able to cause damage.
Runtime behavior is governed before trust exists.
Security teams gain proof of what unknown execution could not do.

This is the correct sequence of control.
Expose the risk.
Secure identity abuse.
Govern execution before access becomes impact.

Credential Breaches Become Bigger Than Passwords

The KDDI incident proves that email login exposure is never just an email problem. Once credentials leave the system, attackers can reuse them, test them, phish with them, and turn them into broader account compromise.

Change passwords immediately.
Block reuse across services.
Validate shared infrastructure continuously.
Govern unknown execution before stolen access becomes operational damage.

Like what you see? Share with a friend.

Move Away From Detection With Patented Threat Prevention Built For Today's Challenges.

No one can stop zero-day malware from entering your network, but Xcitium can prevent if from causing any damage. Zero infection. Zero damage.

Book a Demo