KDDI Corporation, Japan's second-largest telecommunications operator, confirmed unauthorized access to an email system shared with five other Japanese ISPs. The breach exposed up to 14.2 million email login credentials across the affected providers.
The compromised system served as a backend email platform for KDDI and five partner ISPs, meaning a single point of failure exposed customers across multiple networks. Threat actors obtained access to email addresses and login information, though KDDI has not disclosed the attack vector or how long attackers maintained system access.
The affected ISPs have not been officially named in available disclosures, but the scale of exposure represents one of Japan's largest credential breaches in recent years. Email login credentials enable attackers to conduct account takeovers, phishing campaigns, and lateral movement into customer devices and accounts linked to compromised email addresses.
KDDI stated it notified affected customers and law enforcement. The company recommended users change passwords immediately and monitor accounts for unauthorized activity. Japanese telecommunications regulators have begun investigating the incident.
Email system breaches targeting telecommunications infrastructure carry elevated risk because ISPs control network infrastructure and customer data. Attackers leveraging compromised ISP credentials can potentially access customer billing systems, personal information, and network activity logs. This exposure extends beyond email to the broader security posture of affected customers.
The incident underscores recurring vulnerabilities in shared infrastructure models where multiple organizations depend on a single service provider's security controls. KDDI's investigation remains ongoing, with no public timeline established for full remediation details or threat actor attribution.