Millions of Japanese Email Credentials Exposed in Major ISP Breach
Japanese telecommunications giant **KDDI** has disclosed a significant data breach, affecting up to 14.22 million current and former customers across five internet service providers. The incident stemmed from the exploitation of a zero-day vulnerability in a third-party email platform, leading to the exposure of email addresses and passwords.
Japanese telecommunications powerhouse **KDDI**, the nation's second-largest mobile provider, has revealed a substantial security incident impacting millions of users.
The breach, discovered on June 17, 2026, exposed email addresses and passwords belonging to customers of **STNet**, **JCOM**, **Chubu Telecommunications C**, **NIFTY Corporation**, and **BIGLOBE** ISP operators.

### Zero-Day Vulnerability Exploited
**KDDI**'s investigation, updated on July 6, 2026, pinpointed the attackers' entry point to May 16, 2026. They exploited a previously unknown zero-day vulnerability within a third-party software used by the email platform.
"As a result of our investigation, as of June 17, 2026, the date of our confirmation, this vulnerability was not recognized by the software vendor," **KDDI** stated. The software vendor has since reported the vulnerability to public authorities and is preparing for its disclosure.
### Scope of the Exposure
The incident potentially exposed the email addresses and passwords of up to 14.22 million individuals, including inactive accounts. While **KDDI** noted that some passwords were stored in hashed and/or encrypted forms, specific details on the number of plaintext passwords or encryption methods were not provided.
Ultimately, the attackers gained access to 12,233,087 email addresses and 7,616,173 associated passwords.
### Remediation and Response
**KDDI** is actively working to secure affected accounts. Many customers who regularly use their email services have already been prompted to change their passwords. For less frequent users, ISP providers are implementing mandatory password changes within one to two days.
To bolster future defenses, **KDDI** has deployed **Endpoint Detection and Response (EDR)** software. A forensic audit on June 23, 2026, confirmed that the exploited vulnerability has been addressed and that systems are not affected by other security issues.
The company has also notified Japan's **Personal Information Protection Commission** and the **Ministry of Internal Affairs and Communications** and is collaborating with affected ISPs on further mitigation strategies.