KDDI said Monday that a cyberattack against an email platform it operates for other internet providers exposed more than 12.2 million customer email addresses and 7.6 million passwords.
The Japanese telecom company said the affected system is used by five Japanese internet service providers to administer customer email accounts, webmail and stored messages. That makes this less a breach of one branded inbox service than a compromise of shared plumbing used behind several providers.
KDDI first reported unauthorized access in June. The company said it confirmed the size of the exposure only after completing a forensic investigation and filing a report with Japan’s communications ministry earlier this week.
What KDDI says happened
According to KDDI, the attackers got in by exploiting a flaw in third-party software used in the email platform. The company said it fixed the vulnerability and changed the system after detecting the intrusion.
KDDI said investigators found no sign that the attackers moved into other systems beyond the compromised software flaw. That is KDDI’s finding, not an independent public audit, and the company has not named the software vendor or described the bug in technical detail.
The company also said its own consumer email services for mobile and fixed-line internet customers were on separate infrastructure and were not affected.
KDDI said many regular users of the affected email services have already changed passwords. The internet providers using the platform are working through required password resets, according to the company.
Why the platform matters
Email systems are high-value targets because they sit at the center of account recovery, billing notices and password resets for other services. An exposed email address is useful to spammers and phishers. An exposed password is worse, especially if a customer reused it on other accounts.
KDDI did not say whether the 7.6 million passwords were stored in plaintext, hashed or otherwise protected. Without that detail, customers cannot know from the disclosure how immediately usable the stolen password data may be. The safe assumption for affected users is to change the password anywhere it was reused.
KDDI is one of Japan’s three largest telecom operators and runs the country’s second-largest mobile network. It also sells broadband, cloud computing, cybersecurity and data center services.
The disclosure lands during a run of cyber incidents involving major Japanese companies. The Japanese unit of Aflac, electronics maker Nidec and brewer Sapporo Holdings have recently reported breaches or cyber-related disruptions. No public information cited by the companies indicates those incidents are connected.
In a separate case this week, Tokyo police said they arrested a 15-year-old high school student suspected of exploiting a server vulnerability at anime streaming service Bandai Channel and fraudulently canceling more than 46,000 user subscriptions.
This story draws on original reporting from The Record.