Japanese telecommunications giant KDDI Corporation has disclosed a cybersecurity incident that may have compromised the email credentials of millions of users. According to the company, attackers gained unauthorized access to an email system that supports services for five internet service providers (ISPs) in Japan.
KDDI detected the security breach on June 17 and said it took immediate action to block the attackers while deploying additional security measures to contain the incident.
The company's investigation found that the intrusion occurred after threat actors exploited a vulnerability in third-party software used within KDDI's email infrastructure.
"Although technical defensive measures have already been implemented for the system, there remains a possibility that customers' email addresses and passwords were obtained by unauthorized third parties as a result of the incident," KDDI warns.
Up to 14.22 Million Accounts Potentially Affected
KDDI, one of Japan's largest internet service providers, employs around 45,000 people and generates annual revenue of approximately $32.4 billion. Established in 2000 through the merger of IDO, DDI, and KDD, the company serves millions of customers across the country.
The breach impacted email services operated by the following ISPs:
STNet, Inc.
JCOM Co., Ltd.
Chubu Telecommunications Co., Inc.
NIFTY Corporation
BIGLOBE Inc.
While the investigation remains ongoing, KDDI estimates that email addresses and passwords belonging to as many as 14.22 million current, former, and inactive customer accounts may have been exposed.
The company noted that a portion of the affected passwords had been stored in hashed and/or encrypted form, reducing the likelihood of immediate misuse if accessed by attackers. However, it did not disclose the encryption method used or clarify how many passwords, if any, were stored in plaintext.
Authorities Notified, Customers Advised to Reset Passwords
Since identifying the breach, KDDI has informed the affected ISP operators and reported the incident to Japan's Personal Information Protection Commission as well as the Ministry of Internal Affairs and Communications.
The telecom operator is working closely with the impacted ISPs to strengthen security measures and reduce potential risks stemming from the incident.
Customers whose accounts may have been affected are advised to reset their email passwords immediately. KDDI also recommends enabling two-factor authentication (2FA), where available, to provide an additional layer of account security.
