Particle.news
Download on the App Store

KDDI Says Up to 14.2 Million Email Accounts May Be Exposed in Major Breach

The company says attackers exploited a flaw in unnamed third‑party email software, leaving questions about how passwords were stored and what data was taken unresolved.

Overview

  • KDDI detected the unauthorized access on June 17, blocked the attackers, and opened a formal investigation while implementing technical defenses.
  • The company estimates that email accounts for up to 14.2 million current, former, and inactive users across six ISPs may have been exposed.
  • KDDI says the intruders exploited a vulnerability in third‑party software used by its email system but has not named the vendor or disclosed the exact flaw.
  • KDDI warned that email addresses and passwords may have been obtained while saying some passwords were stored hashed or encrypted, though it has not said which algorithms were used or whether any plaintext passwords were accessed.
  • Customers are being urged to change email passwords and enable stronger login protections because exposed credentials raise risks of account takeover and credential‑stuffing, and regulators and affected ISPs are coordinating the response as the investigation continues.