A significant cybersecurity breach has been reported by KDDI, one of Japan's largest telecommunications companies, exposing over 12.2 million customer email addresses and 7.6 million passwords. This breach targeted an email platform operated for five Japanese internet service providers, impacting systems used for managing customer email accounts, webmail services, and email storage. KDDI initially disclosed the unauthorized access in June, but the full extent was confirmed after a detailed forensic investigation and a report submission to Japan's communications ministry. The attackers exploited a vulnerability in third-party software used by the email platform. In response, KDDI patched the flaw and modified the system immediately after detecting the intrusion. Importantly, there was no evidence that other systems were compromised. The company's consumer email services for mobile and fixed-line internet customers remain unaffected. Following the breach, many regular users have changed their passwords, and affected internet service providers are enforcing mandatory password resets. KDDI is actively analyzing the breach's scope and working with ISP operators to prevent future occurrences. This incident is part of a broader trend of cyber incidents affecting major Japanese companies recently, including Aflac Japan, Nidec, and Sapporo Holdings. Meanwhile, a separate cyber incident in Tokyo led to the arrest of a 15-year-old for exploiting server vulnerabilities at Bandai Channel.
Cyber Breach at Leading Japanese Telco Exposes 12 Million Emails
Cyberattack on major Japanese telco exposed 12 million customer emails from ISP-managed systems and webmail stores.
Executive Summary
KDDI, a major Japanese telecom company, reported a cyberattack that exposed over 12.2 million customer email addresses and 7.6 million passwords by exploiting a vulnerability in third-party software. This incident is part of a series of recent cyber breaches affecting major Japanese companies.


