KDDI Breach Exposes Up to 14.2 Million ISP Email Logins, What to Do

Japanese telecom giant KDDI has disclosed a breach of an email system that serves multiple internet providers, potentially exposing up to 14.2 million sets of email credentials. Even if you are not a KDDI customer, the incident is a sharp case study in shared-infrastructure risk.

Key takeaways

• KDDI detected unauthorized access on June 17, 2026 to an email platform it operates for several ISPs.
• Up to 14.22 million email addresses and passwords may have been exposed, including current, former, and inactive accounts.
• Six ISPs are affected: STNet, KDDI Web Communications, JCOM, Chubu Telecommunications, Nifty, and Biglobe.
• Attackers reportedly exploited a flaw in third-party software running on the system; passwords were stored hashed/encrypted but may still have been taken.
• If you use any affected service, reset that email password now, change any reused copies, and enable two-factor authentication.

What happened

KDDI discovered the compromise on June 17, 2026. Attackers gained access to one of its managed email systems, infrastructure that KDDI operates on behalf of several other internet service providers (ISPs). Because that single platform underpins email for multiple brands, the blast radius was large: up to 14.22 million email addresses and passwords may have been exposed, spanning current, former, and inactive users.

The company says the intruders exploited a vulnerability in an unnamed third-party software component running on the system. KDDI blocked the attacker, deployed additional defenses, and notified Japan's Personal Information Protection Commission and the Ministry of Internal Affairs and Communications.

The affected providers

The breach touched email services delivered through six ISPs: STNet, KDDI Web Communications, JCOM, Chubu Telecommunications, Nifty, and Biglobe. In practice that reaches branded mail and services such as Pikara, CPI rental-server email, J:COM NET, Commufa, @nifty Mail, and BIGLOBE Mail. Customers of any of these may be affected, which is precisely why shared backend infrastructure is so consequential, one compromise cascades across many brands.

ISP affected	Branded mail / service to check
STNet	Pikara mail
KDDI Web Communications	CPI rental-server email
JCOM	J:COM NET mail
Chubu Telecommunications	Commufa mail
Nifty	@nifty Mail
Biglobe	BIGLOBE Mail

> server room netw

How bad is it?

KDDI notes that passwords were stored in hashed or encrypted form, which is the right thing to do. But the company explicitly warned that those credentials may nonetheless have been obtained by the attackers. That caveat matters: depending on the hashing scheme and password strength, hashed passwords can sometimes be cracked offline.

The bigger near-term risk for most users is credential reuse and targeted phishing. If the same password protects your bank or shopping accounts, a cracked hash there becomes a key elsewhere. And a confirmed list of an ISP's customers is exactly the targeting data that fuels convincing scams.

What affected users should do now

If you have an email account with any of the six ISPs above, take these steps.

1. Reset your email password right away. Choose a long, unique passphrase you have never used elsewhere.
2. Enable two-factor authentication on the email account if the provider offers it. Email is the master key to your other accounts via password-reset links, so protecting it is a priority.
3. Change reused passwords. If you used the same password on your email and anywhere else (banking, shopping, social media), change it on those services too. Credential reuse is exactly what attackers count on.
4. Watch for targeted phishing. Breached email lists are sold and traded. Expect a rise in convincing messages that reference your provider. Be skeptical of any "verify your account" email, and navigate to the provider's site directly rather than clicking links.
5. Set up sign-in alerts. Many providers can notify you of new logins from unfamiliar devices or locations. Turn that on.

The phishing risk is real and worsening, AI now writes these lures flawlessly, so review our guide on defending against AI phishing. And because reset emails to your inbox are the recovery path for everything, the strongest fix is to make that inbox itself phishing-proof with passkeys.

Check whether your data is circulating

You can monitor for your address in breach corpora and follow a structured recovery checklist. Our walkthrough on checking if your data was breached and responding covers the tools and the order of operations. This incident also lands amid a much larger pool of exposed logins, see the 24 billion stolen credentials surfaced in June 2026, so unique passwords matter more than ever.

The broader lesson: concentration risk

This breach is a reminder that the company whose logo is on your bill is not always the company running your systems. Managed and white-labeled infrastructure means a single provider's security posture can affect millions of customers across many brands at once. A vulnerability in one third-party component cascaded into six ISPs.

For individuals, the defensive answer is the same boring advice that keeps working: unique passwords everywhere (use a password manager), two-factor authentication on anything that supports it, and phishing skepticism. Those three habits dramatically limit the damage when a provider you depend on gets breached, and as the KDDI incident shows, that is a matter of when, not if.

For organizations that rely on third-party platforms, the takeaway is to ask vendors hard questions about their security, demand breach-notification commitments in contracts, keep an inventory of third-party components, and assume that your data inherits the risk profile of every provider in your supply chain.

Frequently asked questions

Am I affected if I am not a KDDI customer?

Possibly. The exposed system served email for six ISPs, so customers of STNet, KDDI Web Communications, JCOM, Chubu Telecommunications, Nifty, or Biglobe (and their branded mail services) may be affected even though the brand on their bill is not "KDDI."

My password was encrypted, do I still need to change it?

Yes. KDDI warned the stored credentials may have been obtained, and hashed passwords can sometimes be cracked offline depending on the scheme. Reset the password and change any place you reused it.

What is the single most important step?

Reset the affected email password to something long and unique, then turn on two-factor authentication. Email is the recovery channel for your other accounts, so securing it first contains the most damage.

How do I spot the phishing that follows a breach like this?

Be wary of any message that references your ISP and asks you to "verify," "reactivate," or "secure" your account. Do not click its links, type the provider's address yourself. Polished grammar is no longer a sign of safety.