KDDI has disclosed that an email system it operates for internet service providers (ISPs) was breached in a cyberattack, potentially exposing email account information belonging to customers of six Japanese service providers.
The company says the intrusion exploited a vulnerability in third-party software used by the platform and that its investigation remains ongoing.
KDDI confirmed on June 17 that the email platform had been subjected to unauthorized access. On the same day, it modified the affected system to prevent further compromise, identified the suspected point of intrusion, and implemented technical defensive measures.
The subsequent investigation determined that the attackers gained access by exploiting a vulnerability in third-party software used within the email platform. As a result, email-related customer information required to use the affected mail services may have been exposed. KDDI says it is continuing to investigate the full scope of the incident and determine the extent of the impact.
KDDI is one of Japan's largest telecommunications providers, offering mobile, broadband, enterprise, and cloud services. In addition to serving its own customers, the company operates infrastructure used by other internet service providers, including email systems that support consumer and business email services.
The incident affects email services provided through KDDI's platform for six ISP operators:
- STNet (Pikara Hikari Service, Pikara Mobile Service, and Oshigoto Pikara Service)
- KDDI Web Communications (CPI-hosted email service)
- JCOM (J:COM NET and cable television operator email services)
- Chubu Telecommunications (Commufa Hikari and Business Commufa email services)
- Nifty (@nifty Mail)
- BIGLOBE (BIGLOBE Mail)
KDDI estimates that email addresses and passwords associated with up to 14.22 million mailboxes could have been exposed. The figure represents the maximum possible number of affected records while the investigation continues, including former customers and inactive accounts. The company notes that some of the passwords were stored in hashed or encrypted form.
The telecommunications provider has also reported the incident to Japan's Personal Information Protection Commission and consulted with the Ministry of Internal Affairs and Communications in accordance with applicable legal requirements.
Since June 17, KDDI has been notifying the affected ISP operators and coordinating response measures with them. Although the company says it has already implemented technical protections for the compromised platform, it warns that email addresses and passwords may have been obtained by unauthorized third parties during the intrusion.
As a precaution, KDDI is urging affected customers to change their email passwords as soon as instructed by their respective service providers. The company says this measure is intended to protect customer accounts and eliminate any ongoing or future risk associated with the breach. It also plans to continue working with the impacted ISPs to notify customers and facilitate password resets while the investigation remains underway.
Leave a Reply