KDDI has confirmed a large email-system breach that may have exposed email addresses and passwords for up to 14.22 million accounts across six Japanese ISP services. The company says the incident came from unauthorized access through a vulnerability in third-party software used in a shared email platform, not from a simple phishing wave or a single stolen mailbox.[1]
The affected services named by KDDI are STNet’s Pikara, KDDI Web Communications’ CPI email service, JCOM NET, Chubu Telecommunications’ Commufa, NIFTY’s @nifty Mail, and BIGLOBE Mail. KDDI says it detected the unauthorized access on June 17, 2026, then publicly disclosed the incident on June 23. BleepingComputer highlighted the case on June 28 as a breach affecting email logins at multiple ISPs.[2]
The headline number is a maximum exposure figure, but it is still serious because the compromised data is exactly the kind of login material attackers try against webmail, customer portals, banking sites, social networks, and cloud accounts. Even when a provider forces password changes, the wider risk is password reuse: if the same password was used anywhere else, the breach can become a credential-stuffing problem outside the original ISP environment.
KDDI says some affected passwords were stored in an encrypted or hashed form, while other account data may have been exposed in a way that requires direct user action. The company and the affected providers have been disabling exposed passwords and asking users to set new ones. That means customers should not wait for suspicious login alerts before acting, especially if the mailbox is tied to password reset flows for other services.[1]
What KDDI and ISP customers should check now
If you use one of the named services, first check the official notice from your ISP and complete any forced password reset from the provider’s own site. Do not follow reset links from unsolicited email or SMS messages. Attackers often use real breach news as bait, and webmail accounts are valuable because they can unlock other accounts through recovery links.
Next, change the password anywhere it was reused. Start with email, banking, shopping, social media, cloud storage, and business apps. Use a unique password for each service and store it in a password manager. If multifactor authentication is available, enable it, but do not treat MFA as a substitute for changing a reused password. Stolen email access can still help attackers intercept recovery messages or reset weaker accounts.
Admins at organizations that allowed staff to use affected ISP mailboxes for business recovery should search for those domains in identity-provider profiles, shared SaaS admin accounts, registrar accounts, and backup mailbox settings. The cleanup model is similar to other credential incidents we have covered: after the StealC and Amadey credential recovery, password rotation mattered only when users also fixed the accounts where those credentials had been reused.
Watch for follow-on phishing as well. A realistic message mentioning KDDI, BIGLOBE, @nifty, Commufa, JCOM, CPI, or Pikara may be more convincing now because the breach is real. The safer response is to open the provider website manually and avoid attachments or shortened links. This same post-breach pressure is why we treated the FortiBleed credential reset guidance and the Microsoft AiTM phishing campaign as account-security problems, not just isolated news events.
For unaffected readers, the useful lesson is simple: mailbox passwords deserve the same treatment as bank and password-manager credentials. If a mailbox can receive reset links, losing it can turn one breached password into many breached accounts.
References
- KDDI Corporation. “Announcement regarding unauthorized access to shared email system for some Internet providers.” PDF notice, June 23, 2026. https://newsroom.kddi.com/news/detail/kddi_nr-426_4077.html
- BleepingComputer. “Data breach exposes up to 14.2 million email logins at six ISPs.” June 28, 2026. https://www.bleepingcomputer.com/news/security/data-breach-exposes-up-to-142-million-email-logins-at-six-isps/
Leave a Comment