KDDI Breach Exposes 14M Email Logins at 6 ISPs
A KDDI breach may have exposed up to 14.22 million email addresses and passwords across six Japanese ISPs via a third-party software flaw.

A shared piece of software just became a shared liability for millions of people. Japanese telecom giant KDDI disclosed that a breach of its email system may have exposed up to 14.22 million email addresses and passwords across six internet providers.
Quick answer
KDDI disclosed that up to 14.22 million email addresses and passwords may have been exposed across the email services of six internet providers, after detecting unauthorized access on June 17, 2026. The company blamed a vulnerability in third-party software shared across the systems. Passwords were stored hashed or encrypted, but KDDI is urging all affected users to change them immediately.
Key takeaways
- Up to 14.22 million email logins may have been exposed, including former and inactive accounts.
- Six ISPs were affected because they shared vulnerable third-party software.
- KDDI detected the intrusion on June 17, then blocked the attackers and investigated.
- Passwords were hashed or encrypted, but may still have been obtained.
- Change your password now if you use any affected service.
What happened
KDDI detected unauthorized access to its email system on June 17, 2026, moved to block the attackers, and opened an investigation. The company traced the incident to a vulnerability in third-party software used by the email platform, not a flaw unique to any one provider. Because that software was shared, the exposure spread across all six ISP email services at once.
The affected providers are STNet, KDDI Web Communications, JCOM, Chubu Telecommunications, Nifty, and BIGLOBE. KDDI has reported the breach to Japan's privacy and telecommunications regulators and says it is taking the required legal and regulatory steps.
| Detail | Fact |
|---|---|
| Records exposed | Up to 14.22 million |
| Data type | Email addresses and passwords |
| Root cause | Third-party software vulnerability |
| Detected | June 17, 2026 |
| Affected ISPs | STNet, KDDI Web Communications, JCOM, Chubu Telecom, Nifty, BIGLOBE |

Why hashed passwords still matter
KDDI stressed that passwords were stored in hashed or encrypted form, which sounds reassuring. It is not a guarantee. If attackers obtained the hashes, they can attempt to crack weak or common passwords offline, and any password reused on other sites is now a risk regardless of hashing. That is why the company is urging every affected user to change their email password immediately rather than waiting to see whether their specific account was cracked.
The scope makes this worse than a single-provider leak. Because the same flaw hit six ISPs, the pool of potentially exposed credentials is enormous, and it includes current, former, and dormant accounts that owners may have forgotten about. Those forgotten accounts are exactly the ones that reuse old, weak passwords.
The third-party software problem
This breach is a textbook example of supply-chain risk. None of the six ISPs was individually careless in an obvious way, but they all relied on the same third-party email software, so one vulnerability cascaded across all of them. Shared infrastructure is efficient and cheap, and it concentrates risk. When the shared component fails, everyone downstream fails together.
It is a pattern the security industry keeps seeing, from software libraries to managed platforms. For related coverage, our piece on the 24 billion stolen credentials leak shows how exposed credentials get aggregated and reused, and our guide on how to check if your data was breached and respond walks through the practical steps.
| Lesson | Takeaway |
|---|---|
| Shared software | One flaw can hit many providers at once |
| Hashed passwords | Reduce risk but do not eliminate it |
| Reused passwords | Turn one breach into many account takeovers |
| Dormant accounts | Often hold weak, forgotten credentials |
What to do now
If you use any of the six affected email services, act as though your credentials are exposed. Do not wait for a personal notification.
- Change your email password immediately, and make it long and unique.
- Change it anywhere you reused it, since attackers try leaked pairs across sites.
- Turn on two-factor authentication wherever the provider offers it.
- Watch for phishing that references your email provider, a common follow-on to breaches.
- Close dormant accounts you no longer need to shrink your exposure.
A password manager makes unique passwords practical, and our guide on choosing a secure password manager can help you pick one.
Frequently asked questions
How many accounts were affected by the KDDI breach?
Up to 14.22 million email addresses and passwords may have been exposed across six ISPs, including current, former, and inactive accounts. The exact number confirmed as compromised may be lower.
Which providers were affected?
The email services of six internet providers were hit: STNet, KDDI Web Communications, JCOM, Chubu Telecommunications, Nifty, and BIGLOBE. They shared the same vulnerable third-party software.
Were passwords stolen if they were encrypted?
KDDI said passwords were stored hashed or encrypted, but warned they may still have been obtained. Attackers can try to crack weak passwords offline, so you should change your password regardless.
What should I do if I use one of these services?
Change your email password immediately, change it anywhere you reused it, enable two-factor authentication, and stay alert for phishing messages that reference your provider.


