Home / The Long Read / Research
Long Read

KDDI email breach: how one shared email platform exposed up to 14.2 million logins across six ISPs

One email platform run by KDDI exposed the logins of up to 14.2 million customers across six Japanese internet providers. The lesson for third-party risk teams is concentration and fourth-party risk: many brands on one shared supplier system, breached through a third-party software flaw.

KDDI email breach: how one shared email platform exposed up to 14.2 million logins across six ISPs
TL;DR

One email platform run by KDDI exposed the logins of up to 14.2 million customers across six Japanese internet providers. The lesson for third-party risk teams is concentration and fourth-party risk: many brands on one shared supplier system, breached through a third-party software flaw.

A single email platform run by one company exposed the login details of customers at six internet providers at once. KDDI, one of Japan's largest telecoms operators, says an attacker exploited a flaw in third-party software inside its shared email system. Up to 14.2 million email addresses and passwords may have been taken, spanning KDDI and five partner providers that rely on the same platform: STNet, J:COM, Chubu Telecommunications, NIFTY and BIGLOBE. The lesson is concentration risk. When many providers sit on one supplier's system, one breach becomes everyone's incident.

KDDI shared email platform breach: the exposure path One flaw in third-party software inside a shared email system cascaded to six ISPs. Detected 17 June 2026. Attacker external exploits flaw KDDI shared email platform shared ICT service flaw in third-party software cascades to Six providers share this platform au / KDDI STNet J:COM Chubu Telecommunications NIFTY BIGLOBE Up to 14.2 million email accounts exposed email addresses and passwords; some hashed or encrypted, unknown number stored in plain text Concentration + fourth-party risk Customers were exposed through a shared supplier system they never chose. Sources: KDDI, BleepingComputer, Japan Times. Draft diagram for Breach Wire, Supplier Shield.

What happened

KDDI detected unauthorised access to its email system on 17 June 2026, according to the company and reporting by BleepingComputer. It assessed that the attacker exploited a vulnerability in third-party software inside the shared email infrastructure, not a phishing or social-engineering route. The platform does not serve KDDI alone. Five other Japanese internet providers use it: STNet, J:COM, Chubu Telecommunications, NIFTY and BIGLOBE. KDDI said up to 14.2 million email addresses and passwords may have been exposed, a figure that includes current customers, former customers and inactive mailboxes. Some passwords were stored in hashed or encrypted form, which limits immediate abuse, but KDDI has not said how many were held in plain text. The company notified Japan's Personal Information Protection Commission and the Ministry of Internal Affairs and Communications.

Why it matters for third-party risk

Strip out the names and the shape is familiar. Six consumer brands, one shared back end, one flaw. Customers of STNet or BIGLOBE never chose KDDI's email software, yet their credentials sat inside it. That is fourth-party risk: exposure through a supplier's supplier, one step beyond the vendor you actually contracted with. It pairs with concentration risk, where many organisations rely on the same underlying system, so one failure lands on all of them at the same time. There is a second layer here. The entry point was a third-party software component inside the platform, which makes this a software supply-chain incident as well as a shared-service one. For firms in scope of the EU Digital Operational Resilience Act (DORA) or the NIS2 directive, both patterns are now supervisory concerns, since both regimes ask organisations to map ICT concentration and understand who sits behind their direct providers.

What teams should take from it

Two moves are worth making now. First, look past your direct vendors and ask what they run underneath. A provider that resells or white-labels another company's platform passes on that platform's risk, so your register should record the operator of a shared service, not just the brand on the contract. Second, treat credential storage as a due-diligence question, not an assumption. Ask suppliers how passwords and secrets are stored, and whether any sit in plain text, before an incident forces the answer. For third-party risk teams, this is where continuous vendor monitoring proves more useful than a once-a-year questionnaire, because a shared platform can expose you through a supplier you never signed with.

FAQ

What caused the KDDI email breach?

KDDI says an attacker exploited a vulnerability in third-party software used inside its shared email system. The company detected the unauthorised access on 17 June 2026. It has not publicly named the software or the attacker.

Why does one breach affect six internet providers?

The six providers, KDDI plus STNet, J:COM, Chubu Telecommunications, NIFTY and BIGLOBE, use the same email platform. Because they share one back-end system, a single flaw in that system exposed customers across all of them at once. That is concentration risk.

Were the passwords readable?

KDDI says some passwords were stored in hashed or encrypted form, which limits immediate misuse. It has not said how many accounts, if any, had passwords stored in plain text. Affected users should change their email password and any place they reused it.

What to do next

Want this applied to your supplier ecosystem? See the platform in action and map your top vendor risks live in one walkthrough.

Read next

iRhythm breach: how patient data left through third-party-hosted business apps

iRhythm breach: how patient data left through third-party-hosted business apps

Cardiac-monitoring firm iRhythm says attackers took patient health data, proprietary data and personal information from third-party-hosted business applications, not from its clinical systems. For third-party risk teams the lesson is that regulated data often lives with a vendor, and that is where it leaves.

Read article
Klue OAuth breach: how one connected app exposed CRM data at Huntress, Jamf and other customers

Klue OAuth breach: how one connected app exposed CRM data at Huntress, Jamf and other customers

The Icarus extortion group stole the OAuth tokens Klue held for its customers and used them to take data from those customers' own Salesforce and Gong accounts. For third-party risk teams the lesson is fourth-party risk: a connected SaaS app can turn a supplier's breach into your data loss.

Read article
Vendor due diligence: the 2026 checklist for regulated teams

Vendor due diligence: the 2026 checklist for regulated teams

A practical vendor due diligence checklist for 2026, tiered by risk and mapped to what DORA, NIS2, and GDPR now expect, including the fourth-party checks most teams skip.

Read article
KDDI email breach exposes up to 14.2M logins across six ISPs | Breach Wire | Supplier Shield