SecurityJuly 5, 20267 min read

What to Do After the KDDI Data Breach (July 2026)

SC

By Sarah Chen

Head of Privacy Research

What to Do After the KDDI Data Breach (July 2026)

Worried you're exposed? Find out in 60 seconds with a free exposure scan.

On June 23, 2026, Japanese telecommunications giant KDDI Corporation disclosed that attackers had breached a shared email platform, potentially exposing the email addresses and passwords of up to 14.22 million customers across six internet service providers. If you use or have ever used email services from KDDI, BIGLOBE, JCOM, Nifty, STNet, or Chubu Telecommunications, your credentials may be compromised. Here’s what to do.

What Happened

KDDI detected the attack on June 17, 2026, and immediately blocked the attacker while notifying Japan’s Personal Information Protection Commission and the Ministry of Internal Affairs and Communications. The investigation determined that hackers exploited a vulnerability in unnamed third-party software used on KDDI’s email system.

This is the largest KDDI breach by volume and the first to include passwords alongside email addresses. The exposure affects email accounts across KDDI’s shared infrastructure, including accounts belonging to customers who have already canceled their services or stopped using them.

Which ISPs Were Affected

The breach impacted the email services of six internet service providers that rely on KDDI’s shared email platform:

  • BIGLOBE
  • JCOM
  • Nifty
  • STNet
  • Chubu Telecommunications
  • KDDI Web Communications

Former customers are also at risk

KDDI confirmed that the breach includes records for customers who have canceled their service or have not used it in a long time. Even if you no longer use one of these email services, your old credentials may have been exposed.

What Data Was Exposed

Up to 14.22 million records were potentially compromised, including:

  • Email addresses
  • Passwords

While the breach appears limited to email credentials (no financial data or government IDs were mentioned), stolen email-and-password pairs are extremely dangerous. If you reused that password on other accounts, attackers can use credential stuffing to break into banking, social media, shopping, and other services.

Is your data already out there?

Leaked data ends up on broker sites and in scammers' hands. Run a free 60-second scan to see your exposure — then let us remove it.

Run a free scan

★★★★★ 4.8/5 · Trusted by thousands of families

Steps to Protect Yourself

1. Reset Your Email Password Immediately

If you use or have ever used an email account from any of the six affected ISPs, change that password right now. Choose a strong, unique password that you haven’t used anywhere else.

2. Change Reused Passwords Everywhere

If you used your ISP email password on any other accounts — social media, banking, online shopping, or cloud storage — change those passwords immediately. Credential stuffing attacks happen fast, and attackers automate the process across hundreds of services simultaneously.

3. Enable Two-Factor Authentication

Turn on two-factor authentication (2FA) on your email account and every important account. Even if an attacker has your password, 2FA adds a second barrier they’ll need to bypass.

Use an authenticator app, not SMS

SMS-based 2FA is better than nothing, but authenticator apps (like Google Authenticator or Authy) are significantly more secure against SIM-swap attacks.

4. Check for Unauthorized Access

Log into your email account and review recent activity. Look for:

  • Sent messages you didn’t write
  • Login notifications from unfamiliar locations or devices
  • Forwarding rules you didn’t create (attackers often set up silent forwarding to monitor your inbox)
  • Password reset emails for other services you didn’t request

5. Monitor for Phishing

With 14.2 million email addresses exposed, expect a surge in phishing attempts. Be skeptical of emails claiming to be from your ISP, especially those asking you to verify your account or click a link. Go directly to your provider’s website instead.

6. Check if Your Password Has Been Leaked Elsewhere

Use a service like Have I Been Pwned to check whether your email address appears in other known data breaches. If it does, change those passwords too.

7. Consider a Password Manager

A password manager generates and stores unique passwords for every account, making it impossible for one breach to cascade into others. If you’re still reusing passwords, this is the push you need to switch. See our guide to the best password managers of 2026.

Why ISP Email Breaches Are Especially Dangerous

Your ISP email address is often the oldest email you have. It’s the one tied to legacy accounts, utility providers, government services, and financial institutions. A compromised ISP email can give attackers a master key to reset passwords across dozens of other accounts, especially if 2FA isn’t enabled.

ISP email accounts are also less likely to have modern security features enabled. Many users set them up years ago and rarely update the password or security settings, making them especially vulnerable when a breach like this occurs.

Protect Your Broader Digital Footprint

A breached email address often leads to further exposure when attackers cross-reference it with data broker sites that publish your name, phone number, home address, and more. PrivacyOn removes your personal information from 100+ data broker sites and provides continuous dark web monitoring, so even if your email is compromised, attackers can’t easily build a full profile of you. Learn more about dark web monitoring and take control of your digital privacy today.

SC
Sarah Chen

Head of Privacy Research

CIPP/US CertifiedIAPP MemberB.S. Computer Science

CIPP/US-certified privacy researcher with over a decade of experience helping consumers remove their personal information from data brokers.

Find out what's already exposed

A free 60-second scan shows your breaches and broker exposure. PrivacyOn removes it and monitors 24/7 so it stays gone.

★★★★★ 4.8/5 · Trusted by thousands of families