KDDI says a data breach may have exposed up to 14.2 million email addresses and passwords after unauthorized access to its managed email system on June 17. The company blocked further intrusion the same day, but it still says third parties may have obtained personal data tied to KDDI users and customers of five ISPs.
The passwords were hashed and encrypted, which means the exposed files were not plain text. That still leaves a large recovery job for anyone using the managed service, especially if the leaked data came from dormant or cancelled accounts that may be harder to match to current users.
KDDI and five ISPs
KDDI provides the email platform to STNet, JCOM, Chubu Telecommunications Co., Nifty Corporation, and BIGLOBE, so the exposure is not limited to one customer base. A reader using any of those services should treat email access and password reuse as the immediate risk, because a leak of login data can be used to try account takeovers elsewhere.
The company says attackers exploited a vulnerability in third-party software used on the email service. That points to a supply-chain problem rather than a single account mistake, and it is the kind of flaw that can spread through any service built on the same software layer.
14.2 million KDDI accounts
KDDI says it has bolstered its defences to prevent future intrusions. It also informed the relevant authorities. That leaves the practical question for affected users: whether their own address or password is among the 14.2 million records KDDI says may have leaked.
The scale is the warning sign here. If even part of that total comes from active accounts, affected users may need to change passwords quickly and check whether the same password was reused on other services. If the data came from dormant or cancelled accounts, notification may take longer because the records no longer map cleanly to current users.
For now, KDDI says its investigation is not finished, so the number of actually exposed accounts may still change. The open question is how many users had their data taken, and whether the third-party software flaw can be tied to any other service built on the same managed email platform.
For a plain explanation of what a data breach is, see this data breach explainer.
