EN|JA

DevGENT

テクノロジー

KDDI ISP Email System Breach: Up to 14.22 Million Addresses Potentially Exposed

KDDI reports unauthorized access to ISP email system potentially exposing 14.22 million email records from partner providers including STNet, J:COM, nifty and BIGLOBE. Details on affected services and response.

krona23
3–4 minutes

KDDI reported unauthorized access to its ISP-oriented email system, raising the possibility that up to 14.22 million email addresses may have been exposed. Based on ITmedia NEWS coverage and KDDI’s official announcement, this article summarizes the scope and response.

📑Table of Contents
  1. Incident Overview and Background
  2. Affected ISPs and Services
  3. Attack Details and Cause
  4. KDDI Response and Reporting
  5. Impact on Users and Recommended Actions
  6. Frequently Asked Questions (FAQ)
  7. Summary

Incident Overview and Background

On June 17, 2026, KDDI detected unauthorized access to its ISP business email system. The platform supplies email services to partner providers such as STNet and J:COM. Attackers are believed to have exploited a vulnerability in third-party software. KDDI promptly implemented technical countermeasures and is proceeding with reports to the Personal Information Protection Commission and the Ministry of Internal Affairs and Communications. According to ITmedia NEWS, the potentially exposed data includes email addresses and password-related information, with a maximum of 14.22 million records at risk.

Affected ISPs and Services

Multiple ISPs rely on this system, resulting in broad impact. The main affected providers and services are listed below.

Affected ISP Main Services Estimated Scale
STNet Pikara Hikari / Mobile Tens of thousands
J:COM J:COM NET Large scale
nifty @nifty Mail Large scale
BIGLOBE BIGLOBE Mail Large scale
Others CPI, Commufa Medium scale

Source: ITmedia NEWS article dated June 23, 2026, and KDDI official PDF (https://newsroom.kddi.com/news/assets/2026/kddi_nr_s-71_4593/kddi_nr_s-71_4593_pdf_01.pdf).

Attack Details and Cause

The attack leveraged a vulnerability in third-party software. KDDI has identified the vulnerability and completed technical defensive measures. Further details on the attack vector and intrusion path will depend on the progress of the investigation. Mailbox-related authentication information appears to have been the primary target.

KDDI Response and Reporting

Following detection on June 17, KDDI quickly strengthened system defenses. It is currently completing reporting procedures to the Personal Information Protection Commission and the Ministry of Internal Affairs and Communications. The official PDF is titled “Regarding Unauthorized Access to the ISP Business Email System.” Affected ISPs are expected to begin notifying users in sequence.

Users who may be affected should first check notifications from their ISP. Changing passwords is advisable, although KDDI has implemented technical measures and no large-scale damage has been confirmed so far. As a precaution, verify that email addresses and passwords are not reused across other services and consider enabling two-factor authentication where possible.

Frequently Asked Questions (FAQ)

  • Q1: Which email addresses may have been exposed?
    Addresses from STNet Pikara Hikari/Mobile, J:COM NET, @nifty Mail, BIGLOBE Mail, CPI, and Commufa services are potentially affected. Check each ISP’s official announcement for details.

  • Q2: Were passwords also exposed?
    Password-related mailbox information may have been leaked. KDDI has implemented technical measures, but changing passwords is still recommended as a precaution.

  • Q3: When was the attack discovered?
    KDDI detected the unauthorized access on June 17, 2026. Details are available in the ITmedia NEWS article and KDDI official PDF.

  • Q4: What measures has KDDI taken?
    The company identified the vulnerability, implemented technical defenses, and is proceeding with reports to the relevant authorities.

  • Q5: What should users do immediately?
    Monitor notifications from your ISP, change passwords, and consider enabling two-factor authentication. Avoid reusing email and password combinations across services.

  • Q6: Is there any impact on other KDDI services?
    At this time, the incident is limited to the ISP business email system; no spillover to other KDDI services has been confirmed.

  • Q7: Has the report to the Ministry of Internal Affairs and Communications been completed?
    Reporting procedures are underway. Progress updates are expected in KDDI’s official announcements.

Related articles:

Summary

The KDDI ISP email system breach has the potential to affect a wide range of users across partner ISPs. Based on ITmedia NEWS and the KDDI official PDF, users should watch for notifications from their providers and take appropriate security steps. Always refer to official sources for the latest information.

📖 Related Articles Mentioned

krona23

Author

krona23

Over 20 years in the IT industry, serving as Division Head and CTO at multiple companies running large-scale web services in Japan. Experienced across Windows, iOS, Android, and web development. Currently focused on AI-native transformation. At DevGENT, sharing practical guides on AI code editors, automation tools, and LLMs in three languages.

DevGENT about →

📚 Read Next

← PreviousInjecting "7 Ruthless QA Personas" into Claude Code to Plug Test Case Blind SpotsNext →SDF Confidential System Infected by Chinese Virus via USB for a Year Unnoticed | Security Blind Spots Exposed

🔥 Most Popular

  1. GPT-5.5 Codex Review: Pro $100, 10× Promo, Claude Max (2026)
  2. AI Browser Comparison: I Tried 4 and Settled on 2 (2026)
  3. Hermes Agent v0.17.0 "The Reach Release" — iMessage, WhatsApp, and Background Sub-Agents
  4. AI Code Editor Comparison 2026: 6 Tools Tested, Why I Use Zed + Claude Code
  5. Claude Code CLI vs Web vs Desktop: A Daily User's Guide (2026)

Leave a Reply

Trending

Discover more from DevGENT

Subscribe now to keep reading and get access to the full archive.

Continue reading