- Tens of millions of credentials may have been leaked following an attack on one of Japan’s largest internet service providers
- The attack exploited a vulnerability in a third-party software used by KDDI
- Five other ISPs were also affected by the attack
A data breach that potentially exposed the email and password combination of over 14 million customers across six Internet Service Providers (ISPs) has been disclosed by Japanese telecommunications provider KDDI Corporation.
According to the company, hackers exploited a vulnerability in a third-party software to gain access to the credential database. KDDI said it immediately blocked the hackers’ access after discovering the intrusion on June 17, 2026.
“Although technical defensive measures have already been implemented for the system, there remains a possibility that customer email addresses and passwords were obtained by unauthorized third parties as a result of the incident,” the company said in a statement.
Millions of credentials exposed
Unfortunately, the breach was not limited to just KDDI. The email services of five other ISPs were also affected by the breach:
- STNet, Inc.
- JCOM Co., Ltd.
- Chubu Telecommunications C., Inc.
- NIFTY Corporation
- BIGLOBE Inc.
KDDI has yet to complete a formal investigation into the attack, but said the hacker may have accessed the email addresses and passwords of 14.22 million current and former customers. The company also said that some of the passwords were stored in an encrypted format and will therefore be inaccessible to the hackers, but the company did not say how many were stored this way.
Since the discovery of the breach, KDDI has also worked with the affected ISPs to secure systems and put in place countermeasures to address the misuse of exposed account information.
To stay protected, customers have been advised to change their account passwords and implement two-factor authentication.
Breaches like these are particularly dangerous because they expose email and password combinations. Since most people will have either one or two email addresses across their accounts, it increases the likelihood that hackers could try to use the exposed email and password combinations to try to access other accounts created with the same email.
This is especially true if the same password (or a variant thereof) is used across multiple accounts. Hackers can use brute force techniques to try hundreds of password combinations in a very short time to crack weak or reused passwords.
When creating or updating a password for any account, no matter how infrequently it is used, always create a strong, unique password. Password managers can create and suggest strong passwords, store them securely, and auto-fill login forms to avoid the hassle of remembering passwords.
Alternatively, some services offer the ability to log in using an access key that uses the built-in biometric authentication mechanisms on your device, such as a face scan or fingerprint. These login methods not only remove the need to enter passwords, but also reduce the possibility of hackers gaining access to your account through phishing attacks.
Via Bleeping Computer
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.
