12.2 Million People Hit by Data Breach at Japanese Telecom Giant KDDI

A previously unknown flaw in email software exposed the addresses and passwords of millions of customers across five internet providers. Mandatory password resets are now underway.

ThreatVectr Newsdesk· 3 min read
Photoreal news-editorial 16:9 image of a large Japanese urban data centre at dusk, exterior shot, rows of cooling units and server ventilation grilles lit by am
Share

Key points

  • KDDI confirmed on 17 June 2025 that criminals broke into an email system shared by five Japanese internet providers.
  • The breach exposed the email addresses of 12.2 million people and the passwords of 7.6 million people.
  • Attackers used a zero-day, meaning a software flaw the maker had not yet discovered or patched, to get inside.
  • KDDI's own mobile and fixed-line internet services run on separate systems and were not affected.
  • Mandatory password resets for all affected accounts are being rolled out in the coming days.

Japan's largest telecommunications company, KDDI, has confirmed that criminals broke into a shared email system on 17 June 2025, exposing the personal data of more than 12 million people. The attack hit five internet service providers, companies that supply home and business internet access, that all used the same KDDI-built email platform: STNet, JCOM, Chubu Telecommunications, NIFTY, and BIGLOBE.

The entry point was a zero-day, a software flaw that even the people who wrote the code did not know existed. That means no patch was available when the attack happened. According to an automated translation of KDDI's official notice, exploitation of the flaw may have begun as early as May, weeks before KDDI detected the intrusion.

The numbers are stark. Criminals walked away with the email addresses of 12.2 million people. Of those, 7.6 million also had their passwords taken.

Should affected customers be worried?

Yes, in a practical sense, though the risk is manageable if you act now. Stolen email addresses and passwords are regularly sold to other criminals, who use them to try breaking into accounts on completely unrelated services, a technique called "credential stuffing." If you reuse the same password across multiple accounts, a breach like this one becomes a key that opens many doors.

KDDI says customers who actively use the affected email accounts have already been prompted to change their passwords. A mandatory reset for everyone else is coming within days. Do not wait for that prompt. Change your password now, and if you use the same password anywhere else, change it there too.

KDDI says it kicked the criminals out of its systems as soon as the breach was discovered and has seen no evidence of further suspicious activity since. The company also said it will audit the software for any other hidden flaws and help the five ISPs move toward more secure communication technology.

From a threat-intelligence standpoint, the attribution picture here is thin. KDDI has not publicly named a suspected group, and no vendor has yet claimed tracking of a cluster tied to this intrusion. The use of an unpatched zero-day points to at least moderate capability, but capability alone does not establish intent or origin. Medium confidence, at best, that this was opportunistic rather than targeted espionage. More reporting needed.

If you are a customer of STNet, JCOM, Chubu Telecommunications, NIFTY, or BIGLOBE, watch your inbox for a password-reset email from your provider. Be cautious: criminals sometimes send fake reset emails to trick people into handing over credentials, so go directly to your provider's official website rather than clicking links in any email.

© 2026 Threat Vectr