Japanese telecommunications company KDDI has disclosed a major cybersecurity incident in which up to 14.22 million email addresses and passwords may have been exposed through systems used by multiple internet service providers. The KDDI data breach has now become one of the most recent security events involving shared ISP infrastructure in Japan. 

The company confirmed that the data breach at KDDI was detected on June 17, 2026, after unauthorized access was identified in an email system provided to ISP operators. KDDI said it immediately took steps to modify the affected system and deployed protective measures after identifying the entry point used by a threat actor. 

KDDI Data Breach Linked to Third-Party Software Vulnerability 

The data breach at KDDI impacted email services operated through six internet service providers: STNet, KDDI Web Communications, JCOM, Chubu Telecommunications, Nifty, and Biglobe. Affected services include Pikara Hikari Service, Pikara Mobile Service, Oshigoto Pikara Service, CPI rental server email services, J:COM NET, Commufa Hikari, Business Commufa, @nifty Mail, and BIGLOBE Mail. 

KDDI’s investigation found that the threat actor exploited vulnerabilities in third-party software integrated into the email system. This allowed unauthorized access to information associated with user mailboxes, potentially exposing credentials needed to operate email accounts. 

According to the company, the compromised data may include email addresses and passwords linked to user accounts created across the affected services. The maximum number of records potentially exposed is estimated at 14.22 million. This figure includes inactive accounts and users who had previously closed their services. Some passwords were stored in hashed or encrypted form, though KDDI emphasized that the number represents a worst-case estimate while investigations continue. 

In its official disclosure, KDDI apologized to ISP partners, customers, and stakeholders for the disruption caused by the incident. The company also confirmed that it is cooperating with Japan’s Personal Information Protection Commission and the Ministry of Internal Affairs and Communications in line with legal and regulatory obligations related to the KDDI data breach. 

KDDI Data Breach Prompts Password Reset Measures and Ongoing Response 

Following the detection of the data breach at KDDI, the company has been working with affected ISPs to notify users and encourage them to change their passwords immediately. KDDI stated that although security controls have been strengthened, there remains a possibility that email credentials were obtained by a threat actor, making user action necessary to reduce ongoing risk. 

The company has been contacting affected providers since June 17 and continues to coordinate mitigation efforts, including customer alerts and system-level countermeasures. It has also urged users to follow guidance issued by their respective ISPs and update login credentials without delay. 

Rising Cybersecurity Risks Highlighted by KDDI Data Breach 

The KDDI data breach has emerged amid a broader increase in cyberattacks affecting Japanese organizations. According to Tokyo Shoko Research, listed companies and their subsidiaries reported 180 personal information breach cases in 2025, exposing data tied to approximately 30.6 million individuals. More than 60% of these incidents involved unauthorized access or malware infections. 

Ransomware activity has also continued to rise, with Japanese police confirming 226 cases of ransomware-related incidents last year, marking the second-highest total on record. While small and midsize firms accounted for roughly 60% of victims, several large organizations also suffered significant operational disruption. 

Among them, Asahi Group Holdings reported that a ransomware attack in September exposed 115,513 personal records and disrupted production and distribution across most domestic facilities, forcing manual order processing for an extended period. Similarly, Askul disclosed that a ransomware incident discovered in October resulted in the exposure of approximately 740,000 records involving customers, corporate clients, and employees.