Major Japanese telco says cyberattack exposed 12 million emails

One of Japan's largest telecommunications providers has confirmed that a cyberattack on an email platform it manages resulted in the exposure of over 12.2 million customer email addresses and 7.6 million passwords. The company, KDDI, stated that the breach affected an email system used to handle customer accounts, webmail services, and email storage for five separate Japanese internet service providers.
KDDI initially reported unauthorized access in June but only revealed the full extent of the data exposure after concluding its forensic investigation and submitting a report to Japan's Ministry of Communications. The investigation determined that attackers exploited a vulnerability present in third-party software utilized by the email platform.

Following the detection of the intrusion, KDDI stated that it promptly patched the identified flaw and modified the system. Investigators found no evidence that the attackers gained access to any systems beyond the specific vulnerability that was exploited. The company also clarified that its own consumer email services, which are part of its mobile and fixed-line internet offerings, operate on separate infrastructure and were not impacted by this incident.
In response to the breach, many customers who regularly use the affected email service have already begun changing their passwords. The internet service providers whose customers were impacted are reportedly working to implement mandatory password resets for all users in the coming days. KDDI indicated that it is continuing to analyze the full scope of the impact and the root cause of the incident, coordinating with the affected ISP operators to respond to customers and implementing measures to prevent future occurrences.
KDDI is a significant player in Japan's telecommunications sector, operating the country's second-largest mobile network. Its services extend beyond mobile to include broadband, cloud computing, cybersecurity, and data center operations.

This incident follows a series of cyber events reported by major Japanese companies in recent weeks. Notable breaches or cyber-related disruptions have also been disclosed by the Japanese unit of Aflac, electronics manufacturer Nidec, and the brewer Sapporo Holdings. However, there is currently no indication that these separate incidents are connected.
In a separate development, Tokyo police recently announced the arrest of a 15-year-old high school student. The student is suspected of exploiting a vulnerability in the servers of the anime streaming service Bandai Channel, allegedly leading to the fraudulent cancellation of over 46,000 user subscriptions.





