KDDI email-platform breach exposes up to 14.2 million ISP logins

On 24 June 2026, Japanese telecommunications giant KDDI Corporation disclosed a data breach affecting a shared email platform it operates on behalf of several internet service providers, warning that up to 14.22 million email addresses and passwords may have been exposed. The company said it had detected the unauthorised access on 17 June 2026 and moved to secure the affected system.

The breach is notable for its blast radius across shared infrastructure: because KDDI runs the same email back end for multiple ISPs, a single intrusion put credentials from six different providers at risk simultaneously.

What happened

KDDI's investigation found that the attacker exploited a vulnerability in third-party software integrated into the email system, gaining unauthorised access to information associated with user mailboxes. The data potentially exposed includes the email addresses and passwords needed to operate accounts created across the affected services.

The maximum exposure figure of 14.22 million records is an upper bound that includes inactive accounts and users who had previously closed their services, so the number of currently active customers affected is likely lower.

Affected providers

The email services run through KDDI's platform span six internet service providers, including:

STNet
KDDI Web Communications
J:COM
Chubu Telecommunications
Nifty
Biglobe

Response

KDDI said it immediately modified the affected system and deployed protective measures after identifying the entry point the attacker had used. The company urged potentially affected users to remain alert for follow-on phishing and to change their passwords.

Why it matters

The incident underlines the concentration risk of shared back-end infrastructure in the telecom and ISP sector: consolidating email hosting across many consumer-facing brands is efficient, but it means a single exploited dependency can cascade into one of the largest credential exposures of the year. Exposed email/password pairs are especially damaging because they fuel credential-stuffing attacks against unrelated services where customers reuse the same passwords.

Sources

bleepingcomputer.comhttps://www.bleepingcomputer.com/news/security/data-breach-exposes-up-to-142-million-email-logins-at-six-isps/

securityaffairs.comhttps://securityaffairs.com/194387/data-breach/kddi-data-breach-impacts-up-to-14-2-million-email-accounts-at-six-isps.html

japantimes.co.jphttps://www.japantimes.co.jp/business/2026/06/24/companies/kddi-data-breach-cyberattack/

Related incidents

Data breachResolvedMay 23, 2026

Charter data breach (2026)

In May 2026, the telecommunications company Charter Communications (the parent company behind the consumer broadband and cable brand Spectrum) was named by the ShinyHunters group in a "pay or leak" extortion campaign.

Victim: Charter
Records: 4.9M

Data breachOngoingApril 10, 2026

DB Telecom: a 40k-customer database put up for sale

Around 10 April 2026, a threat actor put DB Telecom (Service Telecom) — a Marseille-based IP-telephony operator on the Orange/Or-Tel network — up for sale, leaking a database of roughly 41,470 customers and 2,835,372 records including names, contacts, plaintext passwords and internal emails.

Victim: DB Telecom
Records: 2.8M

Data breachResolvedApril 6, 2026

LegionProxy data breach (2026)

In April 2026, the commercial residential and ISP proxy network LegionProxy suffered a data breach. The incident exposed 10k email addresses, bcrypt password hashes, names and purchases.

Victim: LegionProxy
Records: 10.1K

Data breachUnknownJanuary 25, 2026

508,276 Coriolis Télécom customers affected by a data leak

French mobile and internet operator Coriolis Télécom was hit by a data leak in which a hacker put a 356 MB database of 508,276 customer records — including names, postal and email addresses, dates of birth, IBAN/BIC bank details and business SIRET numbers — up for sale on a dark-web marketplace.

Victim: Coriolis Télécom
Records: 508.3K