KDDI: 14.22M Emails & Passwords Possibly Leaked at @nifty, BIGLOBE

On June 23, 2026, KDDI announced that the email system it provides to various internet service providers (ISPs) had been breached, and that up to 14.22 million email addresses and passwords may have been exposed. The affected services include email brands many people use every day, such as "@nifty Mail," "BIGLOBE Mail," and "J:COM NET."

The key point that is easy to miss: this does not only concern people who have a contract directly with KDDI (au). Whether your provider is Nifty or BIGLOBE, the system running the email behind the scenes was the same KDDI platform. That is exactly why a single intrusion spread to several companies' services at once. This article walks through what happened, whether your own email is likely affected, and what you should do right now.

Why "I don't have a contract with KDDI" doesn't get you off the hook

This is the part most easily overlooked. Many people think of their email as "I'm with @nifty" or "I use BIGLOBE," and never imagine KDDI sitting behind it. In reality, the email functions of these companies ran on a shared system that KDDI provided centrally. The visible brands differ, but the foundation was consolidated into one.

This "invisible shared foundation" is why the damage spread so fast. If the base is one, a hole in it is common to every service on top. From an attacker's point of view, there is no need to break into each company separately; breaching KDDI's system once puts the user data of multiple email services within reach all at once. The sheer size of "up to 14.22 million" comes straight from this structure.

It is also the flip side of convenience. Rather than each provider running its own mail servers, handing the job to a trusted major player makes operations and quality more stable. But the more that "leave it to one provider" advances, the wider a single accident can reach. This incident exposed exactly that weakness. If you only look at the logo of your own provider, you will never notice this kind of risk.

The list of affected email services

Here are the services named in KDDI's announcement, along with the companies that operate them. Check them against the domain (the part after the @) of the email address you use. If you created an email address with any of the services below, you may be among those affected.

The reach spans from Shikoku (Pikara) to Chubu (Commufa Hikari), the nationwide @nifty and BIGLOBE, and even the business-oriented rental server CPI. A per-service breakdown of the leaked figures has not been disclosed; only the combined total of "up to 14.22 million" has been given. How many records your specific service accounts for is unknown at this point. The surest move is to watch for the follow-up notices each company issues separately.

It wasn't just email addresses

What deserves the most weight in this announcement is that the data possibly exposed includes not only email addresses but passwords too. An email address alone might mean nothing worse than more spam. But when passwords leak alongside them, the situation gets a step more serious.

The scary part is not the email takeover itself, but the chain reaction. Email addresses are reused as the login ID for all kinds of services — online shopping, social media, online banking. That is where password reuse becomes the problem. If you use the same email-and-password combination on other services, attackers can try that pair one service after another and hijack accounts in a cascade. This technique of automatically testing huge lists of stolen IDs and passwords is called a "credential stuffing (password list) attack," and it almost always follows in the wake of a breach.

On top of that, having your email taken over is itself a gateway to the next round of damage. Many services run their "forgot your password" resets through email, so if your mailbox is seized, the reset links delivered there can be used to break into yet more accounts. Email is something like the "spare-key cabinet" of your online life; once it is breached, the impact does not stay in one place. That is precisely why the steps below are worth hurrying.

The timeline so far

According to KDDI, the company became aware of the unauthorized access six days before disclosure. Here is the sequence from detection to disclosure and the report to the authorities.

← Swipe to move

There is a six-day gap between detection and disclosure. Rather than a sign of hiding information, this is more naturally read as the time it took to pin down the scope and prepare the report to the authorities. For users, however, it means there were six days during which "my password may have leaked." Even while waiting for follow-up news, there is no harm in getting the steps below underway first.

Why was a company as big as KDDI breached?

By KDDI's account, the entry point was a vulnerability in third-party software used within its system. A vulnerability is a design or implementation flaw lurking in a program — a hole that, when exploited, allows operations that should not be possible. Exactly which software and which flaw has not been disclosed.

Here lies another structure that is hard to see. Large systems are not built entirely from scratch in-house; they are assembled from off-the-shelf software and components. In other words, no matter how thoroughly you harden your own security, if a built-in external part has a hole, you can be breached through it. To a user it is "email entrusted to KDDI," yet the inside depends in turn on software made by someone else. It is a double structure: the party you entrusted depends, in turn, on yet another party.

This pattern of "breached through an external part or an outsourced partner" is common to recent large incidents. At the streaming service Crunchyroll, it was not its own systems but an outsourced partner that became the entry point, leaking information on roughly 6.8 million people. In Japan, too, cases where "the periphery, not the core" becomes the hole keep coming, as when Awa Bank had a neglected test environment exploited and leaked 27,000 records. Defenders must keep every component safe at all times, while attackers only need to find one hole. This asymmetry is the fundamental reason even giant companies get breached.

What users should do right now

Even at the "may have leaked" stage, there are precautions you can take. Since passwords are among the data at risk, the top priority is to change the password for the affected email service, and also change it on any other services where you reused the same password. Here is the order.

1. Change the password for the affected email service. If your email service is in the list above, change that password first. You can do this from each company's support pages (such as BIGLOBE and @nifty). Make the new password a unique one you do not use anywhere else.

2. Change other services where you reused it. The most dangerous case is using the same password for online shopping, social media, or online banking. If the leaked pair is tested there, those accounts can be broken into in a cascade. If anything comes to mind, change those to separate passwords too.

3. Turn on two-factor authentication. This is a setting that, in addition to your password, requires something like a confirmation code sent to your phone. Even if your password leaks, this goes a long way toward blocking unauthorized logins. Always switch it on for services that support it.

4. Beware of "piggyback" fake emails. After incidents like this, fake emails that prey on anxiety surge. They use lines like "an apology for the data leak" or "verify your password now" to lure you to fake login pages. Do not click links inside emails; the safe approach is to open each company's official site yourself from your own bookmark and proceed there. It is also worth checking whether any login notifications you don't recognize have arrived.

Note that KDDI and the individual companies are continuing to investigate the impact, and additional measures such as direct contact with affected users or forced password resets may follow. The final scope and the per-service breakdown of figures are expected to be updated in future reports.

What we know, and what we don't yet

Frequently asked questions

Q. I only use an au smartphone. Does this concern me?

What has been named as affected here are the "email services of various ISPs," such as @nifty and BIGLOBE. It has not been announced that au's mobile contract itself, or au's email (@au.com / @ezweb.ne.jp), is affected. That said, if you separately created an email address with one of these providers, you may be affected. Check each company's follow-up notices for the final scope.

Q. If I change my password, am I safe?

Changing the password for the affected service is the top priority, but it may not be enough on its own. If you reuse the same password on other services, you need to change it there as well. Combine this with enabling two-factor authentication and staying alert to piggyback fake emails.

Q. Will KDDI contact me?

KDDI is proceeding with reports to the Personal Information Protection Commission and the Ministry of Internal Affairs and Communications, and the service operators may issue guidance to users. However, fake emails impersonating that very guidance also circulate easily, so don't click links inside emails — opening the official site yourself is the safe approach.

Q. Why were so many services affected at once?

Because each company's email functions ran on KDDI's shared system. With the foundation consolidated into one, a single intrusion there spread simultaneously to the multiple services riding on top of it.

Sources

• ▸ITmedia NEWS - KDDI: up to 14.22 million email addresses possibly leaked via breach of ISP system (June 23, 2026)
• ▸Yahoo! News (ITmedia NEWS) - Nifty and BIGLOBE email services affected (June 23, 2026)
• ▸Okinawa Times (Kyodo News) - KDDI says 14.22 million email records leaked (June 23, 2026)
• ▸@nifty member support
• ▸BIGLOBE member support
• ▸Personal Information Protection Commission
• ▸Ministry of Internal Affairs and Communications