Skip to main content
LiMP VPN
All news

KDDI Email Breach Exposes 14M Logins Across 6 ISPs

KDDI Email Breach Exposes 14M Logins Across 6 ISPs

In short: On 23 June 2026, Japanese telecom giant KDDI disclosed a breach of a shared email platform it runs on behalf of six internet service providers. Up to 14.22 million accounts were exposed — email addresses and passwords. Attackers exploited a flaw in third-party software inside the infrastructure. If you use email from these ISPs, change your password and turn on two-factor authentication.

What happened

On 17 June 2026, KDDI detected unauthorized access to its email system, blocked the attacker and put technical countermeasures in place. On 23 June it disclosed the incident publicly: an attacker exploited a vulnerability in third-party software embedded in the shared email platform and may have reached data for up to 14.22 million accounts, including current, former and inactive ones.

What makes this incident stand out is that a single platform serves six providers at once: STNet, KDDI Web Communications, JCOM, Chubu Telecommunications, NIFTY and BIGLOBE. One break-in swept up customers of several seemingly independent companies. We cover how network privacy works on our blog.

Why this is worse than one service being hacked

Email addresses and passwords were compromised. KDDI says some passwords were stored hashed or encrypted, but it did not specify what share was in plain text or which algorithm was used. Until that uncertainty is resolved, it is wise to assume the worst and treat your password as potentially exposed.

The real danger is not the leak itself but password reuse. If the same password guards your email, a marketplace and a social account, an attacker only has to feed each email-and-password pair into hundreds of services automatically. This is called credential stuffing, and it turns one leak into a chain of hijacked accounts. We looked at the same mechanics in our report on the leak of billions of passwords.

What it means for you and your data

Even if your password was encrypted, the leaked email address is valuable on its own. Knowing you are a customer of a specific provider, scammers send targeted phishing "from" that operator: emails about a "suspended mailbox", a "payment to confirm" or a "password update", linking to a fake login page. The better the message fits the context, the more likely someone types their real password in.

A mailbox is also the key to everything else: password-recovery links for banking, work and cloud accounts all land in your email. That is why compromising email is more dangerous than leaking the password to a random forum.

How do I know if this affects me?

If you use email from one of the six providers (STNet, KDDI Web Communications, JCOM, Chubu Telecommunications, NIFTY or BIGLOBE), assume you may be affected and act ahead of time. Also check your address on Have I Been Pwned, which shows the known breaches your email appears in. Being absent is not a guarantee, but showing up is a clear signal to change passwords now.

How to protect your accounts

Change your email password first. It is the account others are recovered through. Then update the password anywhere you may have reused it.

A unique password for every service. A password manager creates and stores long random passwords so one leaked service does not drag the rest down with it.

Two-factor authentication. Prefer an authenticator app or a hardware key over SMS. Even with your password, no one gets in without the second factor.

Distrust emails "from your provider". Phishing spikes after leaks like this. Do not click links in "account suspended" emails — open the account manually by typing the site address yourself.

Cover the network half. A VPN — such as LiMP VPN — encrypts your traffic on untrusted networks so logins and passwords cannot be intercepted in transit, and hides your real IP from sites and your provider. To be honest: a VPN will not change a leaked password for you or protect a database on the service's side — but it covers the network part of privacy. See how we do it on the features page.

Sources

This report is based on coverage by BleepingComputer, Security Affairs and SC Media from June–July 2026.

KDDI Email Breach Exposes 14M Logins Across 6 ISPs | LiMP VPN