KDDI Corporation, one of Japan’s largest telecommunications providers, disclosed a data breach affecting a large number of customers of five internet service providers (ISPs), according to a company statement released on June 17. The incident involved unauthorized access to an email system used by STNet, JCOM, Chubu Telecommunications, NIFTY, and BIGLOBE, with threat actors exploiting a vulnerability in third-party software, though the specific platform remains unnamed.
Details of the Breach
KDDI discovered the compromise on June 17 and immediately blocked the attackers, implementing defensive measures to contain the breach. The company’s investigation revealed that the vulnerability in the third-party software allowed hackers to access customer data, including email addresses and passwords. While KDDI emphasized that technical safeguards were deployed, it warned that “there remains a possibility that customers’ email addresses and passwords were obtained by unauthorized third parties.”

Scale of Exposure
The breach impacted a large number of customers across the five ISPs, including current, former, and inactive accounts. KDDI noted that some passwords were stored in hashed or encrypted formats, reducing the risk of immediate account hijacking. However, the company did not specify the encryption method or the percentage of accounts with plaintext passwords. The affected ISPs include STNet, JCOM, Chubu Telecommunications, NIFTY, and BIGLOBE, all of which are part of Japan’s telecommunications infrastructure.
Regulatory and Industry Response
KDDI has notified Japan’s Personal Information Protection Commission and the Ministry of Internal Affairs and Communications, as required under local data protection laws. The company is collaborating with the affected ISPs to enhance security protocols. Customers are advised to reset passwords and enable two-factor authentication (2FA) where available. A KDDI spokesperson stated, “We are prioritizing transparency and working closely with partners to address this issue.”
Industry Context and Precedents
This breach adds to a growing list of cybersecurity incidents in Japan, where telecom giants face increasing threats from sophisticated cybercriminals. Security experts caution that such incidents underscore the risks of relying on external software, even for well-established companies. “Third-party vulnerabilities are a critical weak point,” said Dr. Akira Tanaka, a cybersecurity researcher at the University of Tokyo. “Organizations must conduct rigorous audits of all integrated systems.”
Recommendations for Affected Users
Cybersecurity firms recommend that users affected by the breach take immediate action. “Even if passwords were encrypted, changing them is a precautionary step,” said Lisa Nguyen, a security analyst at Symantec. “Enabling 2FA adds an extra layer of protection against potential misuse.” Users are also advised to monitor accounts for suspicious activity and report any anomalies to the relevant ISPs.
KDDI has not yet provided a timeline for completing its investigation or confirming the full extent of the breach. The company continues to work with regulatory bodies and cybersecurity firms to mitigate risks and prevent future incidents.