KDDI Corporation, a major Japanese ISP, revealed a data breach affecting up to 14.2 million email accounts across six internet service providers. The compromise, discovered on June 17, stemmed from a vulnerability in third-party software used by KDDI’s email systems. While the company blocked attackers and encrypted some passwords, it warns that email addresses and passwords may have been accessed by unauthorized parties. The breach impacts STNet, JCOM, Chubu Telecommunications, NIFTY, and BIGLOBE, with KDDI advising affected users to reset passwords and enable two-factor authentication.

The breach highlights critical risks in third-party software dependencies. KDDI, with $32.4 billion in annual revenue and 45,000 employees, operates as a public entity since 2000. The exploited software’s identity remains undisclosed, complicating mitigation efforts. Some passwords were hashed or encrypted, but KDDI did not disclose the encryption type or its coverage. The company is collaborating with impacted ISPs to strengthen security protocols and notify regulatory bodies, including Japan’s Personal Information Protection Commission.

This incident underscores the vulnerability of interconnected systems. Customers of the six ISPs are urged to act immediately, as exposed credentials could enable account hijacks. The breach’s scale—potentially affecting millions—serves as a stark reminder for organizations to rigorously audit third-party tools. Security teams must prioritize testing and patching vulnerabilities before attackers exploit them. Proactive measures, like breach simulation tools, could prevent similar incidents by validating detection systems ahead of real threats.