KDDI Data Breach: Millions of Emails and Passwords Compromised
The prominent Japanese telecommunications company, KDDI, recently issued a supplementary announcement detailing a June cyberattack. Consequently, investigations confirm a severe KDDI data breach. Hackers stole the email addresses of approximately 12.23 million users. Furthermore, around 7.61 million users had their passwords stolen as well. Therefore, KDDI submitted a comprehensive data leak report to Japan’s Ministry of Internal Affairs and Communications on July 6. This report outlined the investigation results alongside subsequent remedial measures.
A Massive Scale Security Incident
Initially, KDDI disclosed the unauthorized access on June 23. Afterward, thorough investigations allowed the company to update the impact scope from a potential leak to a confirmed breach. They also provided the exact number of affected users. Importantly, this incident directly impacts downstream email service providers utilizing KDDI’s infrastructure. These providers ultimately deliver email services to end-users.
Impacted Systems and Plaintext Passwords
KDDI supplies a foundational email system to these downstream entities. This infrastructure handles account management, message transmission, web-based email, and data storage. Ultimately, hackers targeted six distinct email service providers. This compromise encompassed 12.23 million users and included 7.61 million account passwords. Interestingly, while KDDI secured some passwords with a hash and salt strategy, others remained stored in plaintext. Unbelievably, plaintext storage still exists today. However, KDDI has not disclosed the exact number of unsecured passwords. Naturally, hashed and salted passwords present a much lower risk due to their inherent decryption difficulty.
Software Vulnerabilities Triggered the Attack
According to KDDI’s findings, the root cause was a software vulnerability. Hackers exploited flaws within the software powering the foundational email system. Consequently, signs of compromise among some providers date back to May 16, 2026. Yet, KDDI only detected the unauthorized access on June 17, 2026. Immediately, the company patched the system and addressed the vulnerability to shield other ISPs from further attacks.
Approaching a Zero-Day Threat
Notably, the software developers remained entirely unaware of these critical flaws. Therefore, the nature of this vulnerability closely resembles a zero-day exploit. Upon receiving KDDI’s notification, the developers investigated the issue promptly. Furthermore, they submitted detailed vulnerability reports to public authorities. We expect the official CVE identifier and mitigation details to become public very soon.
Mandatory Password Resets and User Protection
Currently, KDDI is collaborating closely with email service providers to mitigate the fallout. Together, they are urging users to change their account passwords immediately. This proactive step prevents further illegal access. Furthermore, they have deployed strict policies enforcing mandatory password modifications. Theoretically, changing your password guarantees the security of your mailbox against unauthorized entry.
Vigilance Against Phishing and Credential Stuffing
Nevertheless, affected accounts might soon receive various phishing emails. Therefore, users must remain extremely vigilant to avoid falling victim to these scams. Crucially, if you reuse the same password across multiple websites, you must change them everywhere. For instance, if you share your KDDI email password with your Apple or Google accounts, update those credentials immediately. This precaution effectively prevents hackers from executing successful credential-stuffing attacks.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.