Future Technology

KDDI's breach hit 14.22 million people, and it's not even all KDDI's fault

Cybersecurity · 10 July 2026

Japanese telecommunications giant KDDI has disclosed a breach of its email system that exposed email addresses and, in some cases, passwords belonging to as many as 14.22 million people. The number is striking on its own, but the more interesting detail is who's actually affected: not just KDDI's own subscribers, but customers of five other Japanese internet service providers that rely on KDDI's email infrastructure behind the scenes.

This is a familiar shape of incident for anyone who's followed enterprise security for a while: a breach at an infrastructure provider ripples out to organisations that never chose that provider directly, and whose customers may not even know the connection exists. If you're a customer of a smaller Japanese ISP, you may have no idea your email data ran through KDDI's systems until a notification arrives, if it arrives at all.

What was exposed

KDDI's disclosure covers email addresses and passwords for the affected accounts. Passwords being included, rather than just addresses, raises the stakes meaningfully: reused passwords are the single most common way one breach turns into several, as attackers test exposed credentials against banking, shopping, and social media accounts on the assumption that people reuse logins.

What to do

If you use a Japanese internet service provider, check directly with them, not just KDDI, about whether your account was among those affected; KDDI's own subscribers should have received or should soon receive direct notification. Regardless of confirmation, if you've reused your email password anywhere else, now is the moment to stop. Change the password on the affected account, then check anywhere else you've used the same password and change those too. Turn on two-factor authentication on the email account specifically, since email access is often the key that unlocks password resets everywhere else.

Breach news that tells you what to actually do about it, every Friday.