telecom
Image: Ted Balmer via Unsplash

Major Japanese telco says cyberattack exposed 12 million emails

One of Japan's largest telecommunications providers said Monday that a cyberattack targeting an email platform it operates for internet service providers exposed more than 12.2 million customer email addresses and 7.6 million passwords.

The company said the breach affected an email system used to manage customer email accounts, webmail services and email storage for five Japanese internet service providers. KDDI first disclosed the unauthorized access in June but only confirmed the scale of the data exposure after completing its forensic investigation and submitting a report to Japan's communications ministry earlier this week.

According to the company, attackers exploited a vulnerability in third-party software used by the email platform. KDDI said it patched the flaw and modified the system immediately after detecting the intrusion, adding that investigators found no evidence the attackers compromised any systems beyond the exploited vulnerability.

KDDI said its own consumer email services for mobile and fixed-line internet customers run on separate infrastructure and were not affected.

"So far, many customers who use the email service regularly have changed their passwords," KDDI said, adding that the affected internet service providers are working to complete mandatory password resets in the coming days.

"We are analyzing the scope of the impact and the cause, responding to customers in coordination with ISP operators, and taking measures to prevent a recurrence," the company said.

KDDI is one of Japan's three largest telecommunications companies, operating the country's second-largest mobile network while also providing broadband, cloud computing, cybersecurity and data center services.

The disclosure comes amid a string of cyber incidents reported by major Japanese companies in recent weeks. Those include the Japanese unit of Aflac, electronics manufacturer Nidec and brewer Sapporo Holdings, all of which have disclosed breaches or cyber-related disruptions. There is no indication the incidents are linked.

Separately, Tokyo police this week said they had arrested a 15-year-old high school student on suspicion of exploiting a vulnerability in the servers of the anime streaming service Bandai Channel to fraudulently cancel more than 46,000 user subscriptions.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
Recorded Future
No previous article
No new articles
Daryna Antoniuk

Daryna Antoniuk

is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.