EN|JA

DevGENT

テクノロジー

KDDI ISP Email System Breach: Up to 14.22 Million Addresses at Risk, Affected Providers and Response

KDDI’s ISP email system suffered unauthorized access, potentially exposing up to 14.22 million email addresses and passwords. Learn about the affected ISPs, user impact, and recommended security measures.

krona23
3–5 minutes

KDDI’s ISP-oriented email system suffered unauthorized access, potentially exposing up to 14.22 million email addresses and passwords. The incident, discovered on June 17, 2026, has been reported by NHK News and ITmedia, affecting multiple ISP services. The breach highlights risks associated with third-party software dependencies, with reports to the Personal Information Protection Commission and the Ministry of Internal Affairs and Communications underway.

📑Table of Contents
  1. Overview and Background of the KDDI Unauthorized Access Incident
  2. List of Major Affected ISPs and Services
  3. Attack Details and KDDI’s Response Status
  4. User Impact and Recommended Security Measures
  5. Frequently Asked Questions
  6. Summary

Overview and Background of the KDDI Unauthorized Access Incident

KDDI provides an email system for ISP operators that serves as the foundation for partner ISPs’ email services. Unauthorized access occurred by exploiting a vulnerability in third-party software used in this system. The incident was discovered on June 17, 2026, and KDDI has already identified the vulnerability and implemented technical defense measures. Reporting procedures to the Personal Information Protection Commission and the Ministry of Internal Affairs and Communications are in progress. As the importance of email systems grows, the risks of relying on third-party components have come to light once again. KDDI has officially acknowledged the facts and indicated plans to notify users through affected ISPs.

List of Major Affected ISPs and Services

The unauthorized access may impact the following ISPs and services. The primary data at risk includes email addresses and passwords (mailbox-related). The scope is broad, covering various fiber optic, cable TV, and mobile services.

ISP/Operator Main Services Potential Impact
STNet Pikara Hikari, Pikara Mobile, Work Pikara Email addresses & passwords
KDDI Web Communications CPI Rental Server Mail Email addresses & passwords
JCOM J:COM NET, Cable TV Mail Email addresses & passwords
Chubu Telecommunications Commufa Hikari, Business Commufa Email addresses & passwords
Nifty @nifty Mail Email addresses & passwords
BIGLOBE BIGLOBE Mail Email addresses & passwords

Source: ITmedia NEWS (June 23, 2026 article) https://www.itmedia.co.jp/news/articles/2606/23/news114.html

Users of these services should consider changing their passwords promptly. KDDI and each ISP are advancing additional security enhancements.

Attack Details and KDDI’s Response Status

The attack exploited a vulnerability in third-party software. KDDI identified the vulnerability and implemented technical defense measures. Currently, reporting to the Personal Information Protection Commission and the Ministry of Internal Affairs and Communications is underway. KDDI has officially acknowledged the incident and plans to notify users via affected ISPs. Detailed attack methods and the full scope of damage remain under investigation; official announcements should be awaited for confirmed information. The risks of third-party dependencies were once again highlighted by this incident.

Users potentially affected face risks of email address and password leaks. Recommended measures are as follows. Prompt action can minimize potential damage.

  • If using services from affected ISPs, change passwords immediately
  • Enable two-factor authentication (2FA)
  • Be cautious of suspicious emails and links; log in only via official apps or sites
  • Use a password manager to handle strong passwords
  • Regularly check official announcements and implement additional measures as needed

KDDI and each ISP continue to strengthen security. Users should periodically review official information.

Frequently Asked Questions

Q: How many records were actually leaked in this incident?

Up to 14.22 million email addresses and other data may have been exposed. The exact number of confirmed leaks is still under investigation. It is important to await official announcements.

Q: How can I check if my email address was leaked?

Check the official websites or support channels of the affected ISPs. Individual notifications from KDDI or each ISP may also be sent. It is recommended to wait for notifications or inquire directly.

Q: Should I change my password?

Yes, if you use services with potential impact, change your password promptly. Enable two-factor authentication as well. Avoid password reuse as a basic practice.

Q: Is KDDI’s response sufficient?

KDDI has identified the vulnerability, implemented defense measures, and reported to relevant ministries. Continue to monitor official information. Additional measures may be announced.

Q: What other security measures should I take?

Regular password changes, enabling 2FA, and caution with suspicious emails are fundamental. Using a password manager is also effective. Avoid logging in from non-official apps.

Q: Could similar incidents occur in the future?

Technical defenses have been implemented, but similar vulnerability risks are not zero. Always check the latest security information. Regular updates and monitoring are effective.

Related articles:

Summary

The KDDI ISP email system unauthorized access incident is a serious case involving the potential leak of up to 14.22 million personal information records. Users of affected ISP services should prioritize prompt password changes and 2FA setup. Refer to reports from ITmedia and NHK, and stay attentive to official announcements. Raising security awareness and thoroughly implementing daily measures is crucial. The importance of managing vulnerabilities in third-party software was also reaffirmed.

Source: NHK News (https://news.web.nhk/newsweb/na/na-k10015157301000), ITmedia NEWS (https://www.itmedia.co.jp/news/articles/2606/23/news114.html)

Related new article:

  • 4158 – This published update adds current operational context for 1422万件のアドレスなど流出か KDDIシステムに不正アクセス | NHKニュース.
  • 4331 – This published update adds current operational context for 1422万件のアドレスなど流出か KDDIシステムに不正アクセス | NHKニュース.

📖 Related Articles Mentioned

krona23

Author

krona23

Over 20 years in the IT industry, serving as Division Head and CTO at multiple companies running large-scale web services in Japan. Experienced across Windows, iOS, Android, and web development. Currently focused on AI-native transformation. At DevGENT, sharing practical guides on AI code editors, automation tools, and LLMs in three languages.

DevGENT about →

Leave a Reply

Trending

Discover more from DevGENT

Subscribe now to keep reading and get access to the full archive.

Continue reading