Over 14 million login credentials leaked from six ISPs in major data breach — here’s what we know

• Tens of millions of credentials may have been leaked following an attack on one of Japan's largest ISPs
• The attack leveraged a vulnerability in a third-party software used by KDDI
• Five other ISPs were also affected in the attack

A data breach that has potentially exposed the email and password combinations for over 14 million customers across six internet service providers (ISPs) has been disclosed by Japanese telecoms provider KDDI Corporation.

According to the company, hackers exploited a vulnerability in a third-party software to access the database of credentials. KDDI said that it immediately blocked the hackers' access after discovering the intrusion on June 17, 2026.

“Although technical defensive measures have already been implemented for the system, there remains a possibility that customers' email addresses and passwords were obtained by unauthorized third parties as a result of the incident,” the company said in a statement.

Millions of credentials exposed

Unfortunately, the breach was not confined to just KDDI. The email services of five other ISPs were also affected by the breach:

• STNet, Inc.
• JCOM Co., Ltd.
• Chubu Telecommunications C., Inc.
• NIFTY Corporation
• BIGLOBE Inc.

KDDI is yet to finish a formal investigation into the attack, but said that the hacker may have gained access to the emails addresses and passwords for 14.22 million current and former customers. The company also said that some of the passwords were stored in an encrypted format, and so will be inaccessible for the hackers, but the company did not say how many were stored in this manner.

Since discovering the breach, KDDI has also been working alongside the affected ISPs to secure systems and put in place mitigation measures to counter the abuse of exposed account credentials.

In order to stay protected, customers have been advised to change their account passwords and implement two-factor authentication.

Breaches such as these are particularly dangerous because they expose email and password combinations. As most people will have either one or two email addresses across their accounts, it increases the likelihood that hackers can attempt to use the exposed email and password combinations to try and access other accounts created with the same email.

This is especially true if the same password (or a variant thereof) is used across multiple accounts. Hackers can use brute force techniques to try hundreds of password combinations in a very short amount of time in order to crack weak or reused passwords.

When creating or updating a password for any account, no matter how infrequently it is used, always create a strong unique password. Password managers can create and suggest strong passwords, securely store them, and automatically fill login forms to take the hassle out of remembering passwords.

Alternatively, some services offer the ability to login using a passkey, which utilizes the built-in biometric authentication mechanisms of your device such as a facial scan or fingerprint. These login methods not only remove the need to type in passwords, but also reduce the possibility of hackers accessing your account through phishing attacks.

Via BleepingComputer