Major Email Password Breach in Japan Affects Up to 14.2 Million Users: What to Do

Japanese telecommunications company KDDI discovered that attackers gained unauthorized access to a system that handles email services. The breach potentially exposed up to 14.22 million email addresses and passwords. KDDI confirmed the incident on June 17, 2026, and repaired the affected system the same day. The breach impacted email services across six different internet service providers in Japan.

If you use email services from KDDI or one of the six affected ISP providers in Japan, your email address and password may have been exposed.

This means attackers could potentially access your email account, read your messages, and use your account to send emails pretending to be you. They could also try using your password on other websites if you reused it. You should take action immediately if you use any of these email services.

Here is what to do right now:

1. Change your email password immediately. Create a strong, unique password that you do not use anywhere else.
2. Check your email account for any suspicious activity, such as sent emails you did not write or unfamiliar login locations.
3. If you used this same password on any other websites or apps, change those passwords too.
4. Enable two-factor authentication on your email account if available. This adds an extra layer of security beyond just your password. To protect yourself going forward, use a different password for every important account, especially email and banking. Consider using a password manager to help you keep track of unique passwords. Set up two-factor authentication on all accounts that offer it. Be extra cautious about emails asking you to click links or provide personal information, as attackers may use the exposed email addresses to send phishing messages.