KDDI, KDDI Web Communications and Biglobe: KDDI Data Breach May Have Exposed Up to 14.22 Million Email Accounts

KDDI, KDDI Web Communications and Biglobe: KDDI Data Breach May Have Exposed Up to 14.22 Million Email Accounts

KDDI Data Breach Exposes 14.22 Million Email Credentials in Japan

Japanese telecommunications giant KDDI disclosed a major cybersecurity incident on June 17, 2026, after detecting unauthorized access to an email system used by multiple internet service providers (ISPs). The breach, linked to a third-party software vulnerability, may have exposed up to 14.22 million email addresses and passwords including inactive and closed accounts across six ISPs: STNet, KDDI Web Communications, JCOM, Chubu Telecommunications, Nifty, and Biglobe.

Affected services include Pikara Hikari, Pikara Mobile, J:COM NET, @nifty Mail, and BIGLOBE Mail, among others. While some passwords were stored in hashed or encrypted formats, KDDI warned the figure represents a worst-case scenario as investigations continue. The company has since strengthened security controls, notified affected ISPs, and urged users to reset their credentials.

KDDI is cooperating with Japan’s Personal Information Protection Commission and the Ministry of Internal Affairs and Communications in response to the incident. The breach underscores growing cybersecurity risks in Japan, where 180 personal data exposure cases were reported in 2025, affecting 30.6 million individuals. Ransomware attacks also surged, with 226 incidents recorded last year, targeting both small businesses and large enterprises like Asahi Group Holdings and Askul.

Source: https://thecyberexpress.com/kddi-data-breach-14-million-email-leak-2026/

BIGLOBE Inc. cybersecurity rating report: https://www.rankiteo.com/company/biglobe

KDDI Corporation cybersecurity rating report: https://www.rankiteo.com/company/kddi-corporation

"id": "BIGKDD1782289486",
"linkid": "biglobe, kddi-corporation",
"type": "Breach",
"date": "6/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'customers_affected': '14.22 million',
                        'industry': 'Telecommunications',
                        'location': 'Japan',
                        'name': 'KDDI',
                        'size': 'Large',
                        'type': 'Telecommunications'},
                       {'industry': 'Internet Services',
                        'location': 'Japan',
                        'name': 'STNet',
                        'type': 'ISP'},
                       {'industry': 'Internet Services',
                        'location': 'Japan',
                        'name': 'KDDI Web Communications',
                        'type': 'ISP'},
                       {'industry': 'Internet Services',
                        'location': 'Japan',
                        'name': 'JCOM',
                        'type': 'ISP'},
                       {'industry': 'Internet Services',
                        'location': 'Japan',
                        'name': 'Chubu Telecommunications',
                        'type': 'ISP'},
                       {'industry': 'Internet Services',
                        'location': 'Japan',
                        'name': 'Nifty',
                        'type': 'ISP'},
                       {'industry': 'Internet Services',
                        'location': 'Japan',
                        'name': 'Biglobe',
                        'type': 'ISP'}],
 'attack_vector': 'Third-party software vulnerability',
 'customer_advisories': 'Urged users to reset credentials',
 'data_breach': {'data_encryption': 'Some passwords stored in hashed or '
                                    'encrypted formats',
                 'number_of_records_exposed': '14.22 million',
                 'personally_identifiable_information': 'Yes',
                 'sensitivity_of_data': 'High (personally identifiable '
                                        'information)',
                 'type_of_data_compromised': ['Email addresses', 'Passwords']},
 'date_detected': '2026-06-17',
 'date_publicly_disclosed': '2026-06-17',
 'description': 'Japanese telecommunications giant KDDI disclosed a major '
                'cybersecurity incident after detecting unauthorized access to '
                'an email system used by multiple internet service providers '
                '(ISPs). The breach, linked to a third-party software '
                'vulnerability, may have exposed up to 14.22 million email '
                'addresses and passwords, including inactive and closed '
                'accounts across six ISPs.',
 'impact': {'brand_reputation_impact': 'Yes',
            'data_compromised': '14.22 million email addresses and passwords',
            'identity_theft_risk': 'Yes',
            'systems_affected': 'Email systems of multiple ISPs'},
 'investigation_status': 'Ongoing',
 'lessons_learned': 'Growing cybersecurity risks in Japan, importance of '
                    'third-party software security',
 'post_incident_analysis': {'corrective_actions': 'Strengthened security '
                                                  'controls, notified affected '
                                                  'ISPs, urged credential '
                                                  'resets',
                            'root_causes': 'Third-party software '
                                           'vulnerability'},
 'recommendations': 'Reset credentials, strengthen security controls, enhance '
                    'monitoring of third-party systems',
 'regulatory_compliance': {'regulatory_notifications': ['Japan’s Personal '
                                                        'Information '
                                                        'Protection Commission',
                                                        'Ministry of Internal '
                                                        'Affairs and '
                                                        'Communications']},
 'response': {'communication_strategy': 'Public disclosure, customer '
                                        'advisories',
              'containment_measures': 'Strengthened security controls',
              'incident_response_plan_activated': 'Yes',
              'remediation_measures': 'Notified affected ISPs, urged users to '
                                      'reset credentials'},
 'stakeholder_advisories': 'Cooperation with regulatory bodies',
 'title': 'KDDI Data Breach Exposes 14.22 Million Email Credentials in Japan',
 'type': 'Data Breach',
 'vulnerability_exploited': 'Third-party software vulnerability'}
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.