- Tens of millions of credentials may have been leaked following an attack on one of Japan’s largest ISPs.
- The attack exploited a vulnerability in third-party software used by KDDI.
- Five other ISPs were also affected by the attack
A data breach that potentially exposed the email and password combinations of more than 14 million customers across six Internet service providers (ISPs) has been revealed by Japanese telecommunications provider KDDI Corporation.
According to the company, hackers exploited a vulnerability in third-party software to gain access to the credentials database. KDDI said it immediately blocked the hackers’ access after discovering the intrusion on June 17, 2026.
“Although technical defense measures have already been implemented for the system, it remains possible that customer email addresses and passwords were obtained by unauthorized third parties following the incident,” the company said in a statement.
Millions of credentials exposed
Unfortunately, the breach was not limited to KDDI. The messaging services of five other ISPs were also affected by the breach:
- STNet, Inc.
- JCOM Co., Ltd.
- Chubu Telecommunications C., Inc.
- NIFTY Company
- BIGLOBE Inc.
KDDI has not yet completed its formal investigation into the attack, but said the hacker may have gained access to the email addresses and passwords of 14.22 million current and former customers. The company also said that some of the passwords were stored in an encrypted format and would therefore be inaccessible to hackers, but the company did not say how many were stored this way.
Since the discovery of the breach, KDDI has also worked alongside affected ISPs to secure systems and implement mitigation measures to counter the abuse of exposed account credentials.
In order to stay protected, customers have been advised to change their account passwords and implement two-factor authentication.
Such breaches are particularly dangerous because they expose email and password combinations. Since most people will have one or two email addresses on their accounts, this increases the likelihood that hackers will attempt to use the exposed email and password combinations to attempt to access other accounts created with the same email address.
This is especially true if the same password (or a variation thereof) is used across multiple accounts. Hackers can use brute force techniques to try hundreds of password combinations in a very short time to crack weak or reused passwords.
When creating or updating a password for an account, regardless of how often it is used, always create a unique and strong password. Password managers can create and suggest strong passwords, store them securely, and auto-populate login forms to make remembering passwords easier.
Alternatively, some services offer the ability to log in using a password, which uses your device’s built-in biometric authentication mechanisms, such as a facial scan or fingerprint. These login methods not only remove the need to enter passwords, but also reduce the possibility of hackers gaining access to your account via phishing attacks.
Via BeepComputer
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds.