KDDI Telecom Data Breach Impacts Over 12 Million Users
A major telecommunications company in Japan disclosed that a security incident led to the exposure of personal data for millions of individuals.
Breach Overview
A major telecommunications company in Japan disclosed that a security incident led to the exposure of personal data for millions of individuals. The breach, which impacted multiple internet service providers, involved the unauthorized access of customer information, including addresses and login credentials. The affected entities include STNet, JCOM, Chubu Telecommunications C, NIFTY Corporation, and BIGLOBE ISP operators.
Timeline of the Breach
The incident was identified on June 17, 2026, when the company detected unauthorized activity on a platform utilized by the five ISPs. Attackers exploited a zero-day vulnerability in third-party software, gaining access to the system on May 16. KDDI confirmed that the software vendor was unaware of the flaw at the time of the breach and has since reported the issue to public authorities.
Vulnerability and Resolution
The company emphasized that the vulnerability has since been resolved, with a forensic audit verifying no ongoing threats to the systems. Data exposed during the breach includes the addresses of 12,233,087 individuals and the passwords of 7,616,173 users. While some passwords were stored in hashed or encrypted formats, the exact number of accounts with plaintext credentials and the specific encryption methods remain undisclosed.
Actions Taken
KDDI stated that it is actively resetting passwords for affected accounts, with priority given to frequent users. Mandatory password changes are being enforced for less active customers, with ISPs required to complete the process within one to two days. To enhance security, the company has deployed Endpoint Detection and Response (EDR) tools to monitor for future threats.
Collaboration with Authorities
KDDI also notified Japan’s Personal Information Protection Commission and the Ministry of Internal Affairs and Communications, collaborating with affected ISPs to implement additional safeguards.
Implications and Recommendations
The breach highlights the risks associated with third-party software vulnerabilities, underscoring the importance of proactive security measures. Organizations are advised to conduct regular audits and ensure timely patching of critical systems to mitigate similar incidents. The company has not provided further details on the financial impact or specific indicators of compromise, but ongoing investigations are underway to assess the full scope of the breach.
KDDI confirmed that the software vendor was unaware of the flaw at the time of the breach and has since reported the issue to public authorities.
The company emphasized that the vulnerability has since been resolved, with a forensic audit verifying no ongoing threats to the systems.
The breach highlights the risks associated with third-party software vulnerabilities, underscoring the importance of proactive security measures.
