KDDI data breach exposes up to 14.2M email logins at six ISPs

Japanese telecommunications operator KDDI Corporation disclosed a data breach where threat actors gained access to one of its email systems used by five other internet service providers in the country. The incident potentially exposes up to 14.2 million email logins, according to the company's filing.

The breach's full scope remains under investigation, with KDDI stating the number of affected accounts could reach that figure across six ISPs. The compromised system appears to be a legacy email platform, though specific technical details about the attack vector or duration of access have not been disclosed.

Threat actors accessed the system by exploiting an unspecified vulnerability in KDDI's network. The company has not yet released indicators of compromise or forensic details. No evidence of data misuse has been reported as of the initial disclosure.

KDDI is working with law enforcement and has begun notifying affected customers. The firm recommends that users reset passwords and enable multi-factor authentication. A full remediation timeline has not been provided, and patches for the underlying vulnerability are pending further investigation.

Attribution for the attack remains unclear, and no group has claimed responsibility. The incident highlights the persistent risk of legacy email infrastructure in large telecommunications networks, especially when shared across multiple service providers.