KDDI Breach Highlights Supply-Chain Risks Across Japanese ISPs

Single Email System Breach Sends Shockwaves Across Six ISPs

A cyberattack at KDDI Corporation, one of Japan’s largest telecommunications operators, has resulted in the potential exposure of up to 14.2 million customer email addresses and passwords. The breach not only affected KDDI’s own users but rippled across five other major internet service providers (ISPs) that relied on the same email infrastructure, dramatically magnifying the incident’s scope.

KDDI discovered the compromise on June 17, quickly blocking the attacker’s access and putting defensive controls in place. However, the damage could be sweeping: the attackers took advantage of a vulnerability in unidentified third-party software utilized within KDDI’s email system, which served as a common backbone for multiple ISPs.

The Domino Effect: Shared Infrastructure and Its Perils

The incident didn’t just stop with KDDI. The affected ISPs—STNet, JCOM, Chubu Telecommunications, NIFTY, and BIGLOBE—are all prominent players in Japan’s internet market. This shared reliance on KDDI’s email system meant that a single vulnerability put millions of customer credentials at risk, including those of former customers and inactive email accounts.

While investigators continue to assess the scale, KDDI warns that up to 14.2 million accounts could be affected. The compromise underscores how supply-chain vulnerabilities, especially those embedded in core services like email, can cascade across interconnected organizations.

Password Security: An Open Question

KDDI indicated that some passwords in the exposed database were protected through hashing or encryption. However, the company has not clarified how robust those protections are, or how many accounts had their passwords stored in plaintext—a crucial distinction for assessing the immediate risk of account hijacking.

This uncertainty leaves customers in a precarious position. Attackers with access to even partially protected credentials could attempt password cracking or phishing campaigns, particularly if users have reused passwords across accounts.

Incident Response and Regulatory Notification

Following the discovery, KDDI promptly alerted the impacted ISPs as well as Japanese regulators, including the Personal Information Protection Commission and the Ministry of Internal Affairs and Communications. The company is coordinating with the affected ISPs to deploy further security measures and reduce potential abuse stemming from the breach.

Customers are being urged to reset their email passwords immediately. KDDI also recommends the activation of two-factor authentication (2FA) where available, adding another critical line of defense against unauthorized access.

Telecom Supply Chains: A Global Security Lesson

The KDDI incident throws into sharp relief the risks inherent in today’s interconnected telecom environment. As providers consolidate backend systems or rely on shared third-party software, the blast radius of a single breach expands dramatically. Defenders must scrutinize not just their own infrastructure, but also the third-party components and shared platforms that may silently underpin services across the industry.

For telecom operators worldwide, the message is clear: harden third-party systems, isolate critical services where possible, and ensure customer credentials are stored according to strict security standards. If your organization relies on external vendors or manages infrastructure for others, regular security reviews and transparent incident response planning are essential.

Telecom organizations concerned about their own exposure should consider comprehensive reviews of their supply chain and email infrastructure security. For tailored risk assessments and defense strategies, our security services can help organizations close gaps before attackers discover them.

This article is original CyberSecFlux reporting based on news first reported by BleepingComputer.