VYPR
breachPublished Jul 8, 2026· 1 source

Japanese Telecom KDDI Reports Massive Data Breach Affecting Over 12 Million Users

Japanese telecom giant KDDI has disclosed a significant data breach impacting over 12 million individuals, with attackers accessing an email platform and exposing email addresses and passwords.

Japanese telecommunications giant KDDI has announced a major data breach that has potentially exposed the personal information of over 12 million individuals. The incident occurred when attackers gained access to an email platform utilized by five internet service providers (ISPs) in Japan, leading to the exposure of email addresses and, in some cases, passwords.

KDDI, the second-largest mobile carrier in Japan, confirmed that the breach affected its subsidiary STNet, as well as ISPs JCOM, Chubu Telecommunications C, NIFTY Corporation, and BIGLOBE. The company stated that the incident may have compromised the email addresses of up to 12,233,087 customers and former customers, along with the passwords of 7,616,173 individuals. Some of these passwords were reportedly stored in hashed or encrypted formats, but KDDI did not specify the extent of plaintext password exposure or the encryption methods used.

The breach was first detected on June 17, 2026, when KDDI blocked the attackers' access and initiated defensive measures. However, the company revealed in an update on July 6 that the attackers had initially exploited a zero-day vulnerability in a third-party software on May 16. KDDI noted that this vulnerability was not recognized by the software vendor at the time of exploitation, underscoring the advanced nature of the attack.

In response to the incident, KDDI is actively working to secure the affected email accounts. The company is in the process of changing the passwords for all impacted customers. For users who do not frequently access their email services, KDDI is coordinating with the respective ISPs to implement mandatory password changes within one to two days to mitigate further risk.

To enhance its security posture against future threats, KDDI has deployed Endpoint Detection and Response (EDR) software across its systems. A forensic audit conducted on June 23 confirmed that the exploited vulnerability has been remediated and that no other security issues were found within the affected systems. The company has also formally notified Japan's Personal Information Protection Commission and the Ministry of Internal Affairs and Communications about the breach.

This incident highlights the persistent threat of large-scale data breaches targeting critical infrastructure and telecommunications providers. The exploitation of a zero-day vulnerability underscores the challenges organizations face in defending against sophisticated cyberattacks. KDDI's proactive communication and remediation efforts are crucial in managing the fallout and rebuilding customer trust following this significant security lapse.

The company is collaborating closely with the affected ISPs to implement comprehensive security measures aimed at mitigating the risks associated with the exposed data. The scale of the breach, affecting millions of users and involving sensitive credentials, necessitates a thorough investigation and robust long-term security enhancements.

Synthesized by Vypr AI