KDDI breach exposes up to 14.2M email logins at six Japanese ISPs

KDDI Corporation revealed that intruders accessed one of its email platforms shared with five partner internet providers, potentially exposing login details for as many as 14.2 million accounts.

KDDI detected the breach on June 17. The telecommunications giant said it responded the same day by cutting off the intruders and adding protective controls. The probe traced the intrusion to a flaw in an unnamed third-party application running on the firm's infrastructure.

Six ISPs and their customers are affected. Operators whose email services relied on the compromised platform include STNet Inc., JCOM Co. Ltd., Chubu Telecommunications Co. Inc., NIFTY Corporation and BIGLOBE Inc. alongside KDDI itself. The company, formed in 2000 from the merger of IDO, DDI and KDD, employs 45,000 people and generates annual revenue of $32.4 billion.

The total covers active, former and dormant accounts whose precise count remains unknown while the inquiry proceeds. "Although technical defensive measures have already been implemented for the system, there remains a possibility that customers' email addresses and passwords were obtained by unauthorized third parties as a result of the incident," the operator stated.

Some passwords were protected by hashing or encryption. KDDI noted that many credentials existed only in hashed or encrypted states, reducing the chance they could be used right away to seize accounts. Officials gave no breakdown of encryption methods or the share stored in plain text.

Since the discovery the firm has informed the five partner providers plus Japan's Personal Information Protection Commission and Ministry of Internal Affairs and Communications. It is now partnering with those ISPs on further safeguards to limit fallout from any stolen data.

The company urges anyone who might be affected to change their email password at once and to activate two-factor authentication wherever the option exists.