KDDI Cyberattack Exposes 12 Million Email Addresses and 7.6 Million Passwords in Japan ISP Breach
- 13 hours ago
- 3 min read
A cyberattack on an email platform operated by Japanese telecom giant KDDI exposed more than 12.2 million customer email addresses and 7.6 million passwords, marking one of the larger recent credential exposure incidents tied to shared internet service provider infrastructure in Japan.
KDDI said the breach affected an email system it runs for five Japanese internet service providers. The platform supports customer email account management, webmail access and email storage. The company first revealed unauthorized access in June, but confirmed the full scale of the incident this week after completing a forensic review and submitting its findings to Japan’s communications ministry.
According to KDDI, the attackers gained access by exploiting a vulnerability in third-party software used inside the email platform. The company said it patched the flaw and changed the affected system after discovering the intrusion. Investigators have not found evidence that the attackers moved beyond the vulnerability used to access the platform, KDDI said.
The company also stressed that its own consumer email services for mobile and fixed-line internet customers are hosted on separate infrastructure and were not affected by the attack.
“So far, many customers who use the email service regularly have changed their passwords,” KDDI said, adding that the impacted ISPs are working to complete mandatory password resets in the coming days.
“We are analyzing the scope of the impact and the cause, responding to customers in coordination with ISP operators, and taking measures to prevent a recurrence,” the company said.
The breach highlights a growing risk facing telecoms, cloud providers and managed service platforms: shared infrastructure can turn one software flaw into a multi-provider security incident. In this case, a single vulnerable component in a centralized email system exposed credentials across several internet service providers at once.
“More than 12 million compromised email addresses and more than 7 million compromised passwords, all traced back to one unpatched vulnerability in one piece of third-party software,” said Max Gannon, Cyber Intelligence Team Manager at Cofense. “That is the multiplier effect of shared infrastructure, when a component sits at the center of a platform serving multiple providers, a single flaw does not affect one organization, it affects all of them simultaneously.”
For attackers, compromised email addresses and passwords can be valuable well beyond the original platform. Credential dumps are often used in phishing campaigns, credential stuffing attacks, business email compromise attempts and account takeover operations, especially when users reuse passwords across services.
The incident also underscores the difficulty of securing third-party software embedded deep inside critical platforms.
“Security teams spend enormous energy hardening the systems they own and operate, but third-party software is harder,” Gannon said. “You did not write it, you often cannot audit it deeply, and you are dependent on the vendor's patch cycle. Attackers know this. Exploiting a vulnerability in integrated software is frequently the path of least resistance into an otherwise well-defended environment.”
KDDI is one of Japan’s largest telecommunications companies and operates the country’s second-largest mobile network. Beyond mobile and broadband services, the company also provides cloud computing, cybersecurity, data center and enterprise technology services.
The disclosure lands during a wave of cyber incidents affecting major Japanese companies. In recent weeks, the Japanese unit of Aflac, electronics manufacturer Nidec and brewer Sapporo Holdings have each reported breaches or cyber-related disruptions. There is currently no evidence connecting those incidents to the KDDI attack.
For customers affected by the KDDI ISP email breach, forced password resets are a necessary first step. But security experts say users should also change any reused passwords on other accounts, enable multi-factor authentication where available and watch for phishing emails that reference their ISP or email account.
The broader lesson for telecom and managed service providers is more structural. Centralized platforms can create efficiency, but they also concentrate risk. When a third-party software flaw sits inside infrastructure used by multiple providers, patch management, vulnerability monitoring and vendor risk controls become critical security functions, not back-office maintenance.