Japanese telecom giant KDDI disclosed a breach of its email platform that may have exposed the email addresses and passwords of up to 14.22 million customers, and the ugliest detail is not the intrusion itself. It is that some of those passwords were stored in plaintext in 2026. Worse, because KDDI's email system is white-labeled to five other Japanese internet providers, a single compromise cascaded across six brands at once. This is a textbook case of two failures multiplying: shared infrastructure that widens the blast radius, and password storage that should have been retired a decade ago.

  • KDDI's breached email platform is shared by five other ISPs, so one intrusion hit STNet, JCom, Chubu Telecommunications, NIFTY and BIGLOBE alongside KDDI.
  • Up to 14.22 million customers may have had email addresses and passwords exposed.
  • The scandal: only some passwords were hashed, meaning others sat in plaintext, readable the moment attackers got in.
  • KDDI has not said how many passwords were plaintext or what algorithm protected the rest, which is its own red flag about the program's maturity.
One breached platform, six exposed providers KDDI's shared email platform was breached, exposing customers across KDDI, BIGLOBE, NIFTY, JCom, STNet and Chubu Telecommunications, up to 14.22 million accounts in total. KDDI shared email platform BREACHED KDDIBIGLOBENIFTYJComSTNetChubu Telecom Up to 14.22M accounts across six providers, some passwords stored in plaintext genztech.blog
Fig 1 Why one breach became six: KDDI's email platform is white-labeled to five other ISPs, so a single compromise radiated across KDDI, BIGLOBE, NIFTY, JCom, STNet and Chubu Telecommunications, up to 14.22M accounts. Shared infrastructure is efficient right up until it fails.

What actually happened?

KDDI disclosed that attackers breached the email system it operates, and that the incident potentially exposed email addresses and passwords for as many as 14.22 million customers. The reach is the first shock: KDDI does not just run email for its own subscribers, it provides the platform to five other Japanese internet service providers, STNet, JCom, Chubu Telecommunications, NIFTY and BIGLOBE. So customers who never signed up with KDDI, who chose BIGLOBE or NIFTY specifically, were caught in a breach of a vendor they may not have known was in the loop. That is the hidden cost of consolidated infrastructure. It is cheaper and simpler to run one email backend for six brands, and it means one successful intrusion compromises all six.

RelatedDirtyClone Hands Local Root on Default Linux Systems

Why is plaintext storage the real scandal?

Because it turns a bad day into a catastrophe. When passwords are stored correctly, a breach leaks useless data: a modern password is protected with a slow, salted hash like bcrypt or Argon2, so what an attacker steals is a scrambled value that cannot be reversed without enormous per-password effort. Stored in plaintext, the password is just there, readable instantly, ready to be typed into any other account the victim reused it on. KDDI admitted only "some" of the passwords were hashed, which is a careful way of confirming the rest were not. Storing a password in plaintext has been indefensible for well over a decade, and finding it inside a major national telecom in 2026 says the security program was neglected at a fundamental level, not just unlucky.

Storage methodWhat a breach leaksAttacker effort to crackAcceptable in 2026?
PlaintextThe password itselfNone, instantNo, negligent
Unsalted hash (MD5/SHA-1)Hash crackable en masseLow, rainbow tablesNo
Fast hash, saltedPer-password crack neededModerate on GPUsWeak
Slow salted hash (bcrypt/Argon2)Practically nothing usableHigh, per passwordYes, the standard

How bad is the fallout likely to be?

The immediate danger is credential stuffing. People reuse passwords, so a leaked plaintext email-and-password pair is not just a threat to a KDDI inbox, it is a key attackers will try against banking, shopping and social accounts at scale using automated tools. Email accounts are especially valuable because they are the reset mechanism for everything else: control someone's inbox and you can often seize their other logins one password-reset link at a time. For 14.22 million people, the correct assumption is that the exposed pair is now circulating, and the only reliable defense is to change that password everywhere it was reused and switch on two-factor authentication, ideally an authenticator app rather than SMS.

What should the affected providers do now?

Force a full password reset across all six brands, not just KDDI's own subscribers, and invalidate existing sessions so stolen credentials cannot be used silently. Then fix the root cause: migrate every stored password to a slow salted hash and delete the plaintext, publish exactly how many accounts were affected per provider and what algorithm protected the hashed remainder, and rebuild the shared platform so a single intrusion cannot expose all six tenants at once. Transparency is not a courtesy here, it is the difference between customers taking protective action and staying exposed. The vagueness so far, "some" passwords hashed, no per-provider numbers, no algorithm named, is a governance failure layered on top of the technical one.

RelatedOracle PeopleSoft zero-day hit 100+ orgs, breached Nissan

What to watch
  • The real plaintext count. "Some were hashed" is doing heavy lifting. The honest disclosure is how many were not, and it will decide the true severity.
  • Credential-stuffing waves. Expect a spike in login-abuse attempts against Japanese banking and commerce sites in the weeks after the leak circulates.
  • Regulatory response. Plaintext storage at a major telco is exactly what data-protection regulators exist to penalize. Watch for enforcement.
  • Shared-platform reckoning. The bigger lesson is tenant isolation. Five ISPs just learned their security depends on a vendor's worst practice.

Our take

The intrusion is almost the least interesting part of this story, and that is exactly why it matters. Attackers breach systems constantly; a mature security program assumes it will happen and makes sure the loss is survivable. KDDI's was not, because it kept passwords in a form that turns any breach into an instant credential dump, and because it centralized six providers onto one platform without the isolation that would have contained the damage. Those are not sophisticated-adversary problems, they are basics that any credible review would have flagged years ago. If there is a useful takeaway beyond "change your reused passwords," it is that convenience and consolidation carry a security bill that usually goes unpaid until a single failure comes due for millions of people at once. For 14.22 million customers across six brands, that bill just arrived, and most of them never even knew they were sharing an inbox provider.

Primary sources

Original analysis by GenZTech. Breach figures as disclosed by KDDI, current as of July 2026. More at KDDI's newsroom.