← All articles

redaction

KDDI: 12.23M emails and 7.62M passwords compromised

On July 7, 2026, KDDI confirmed unauthorized access to ~12.233M emails and ~7.616M passwords from its ISP email platform—an emblematic supply chain case with lessons for European companies.

On July 7, 2026, KDDI confirmed unauthorized access to approximately 12,233,000 user email addresses and 7,616,000 passwords on its ISP email platform used by multiple Japanese partners. This highlights supply chain and credential reuse risks for European firms.

What happened

KDDI “confirmed” unauthorized access to email addresses (~12.233M) and passwords (~7.616M) for mail accounts managed for partner ISPs (J:COM, BIGLOBE, NIFTY, CTC, etc.). Initial signs appeared in mid‑June 2026; broad password resets followed. The initial upper estimate (up to 14.22M potentially affected identifiers) was refined on July 7, 2026.

Legal framework

For Luxembourg and the EU, an extra‑EU incident can still trigger obligations where it affects EU data subjects or exposes EU systems through credential reuse. Controllers must assess notification to the DPA within 72 hours (see the GDPR framework, incl. Article 33) and, where risk is high, inform data subjects (Article 34). Technical/organizational measures adequacy (Article 32) includes phishing‑resistant MFA, secret management, and access monitoring.

“Essential”/“important” entities under the NIS 2 Directive and its supply chain risk management requirements must cover account/Token security and oversight of email/SaaS providers, with sectoral notification timelines (early warning 24h, notification 72h, final report ~1 month as transposed).

Implications for Luxembourg organizations

  • Domino effect via credential reuse. Millions of email/password pairs can fuel credential stuffing against OWA/M365/Google Workspace, VPNs, CRMs, HRIS, and customer portals—especially if partner corporate addresses are among the compromised accounts.
  • Supply chain and integrations. OAuth/API token abuse and service accounts can bypass classic controls; treat email/ISP and SaaS providers as critical assets with continuous oversight.
  • Reaction timelines and evidence. Anticipate GDPR notification (72h), log every action, and prepare clear, actionable messages to data subjects.

Concrete actions to take this week

  • Map exposed credentials. Use your exposure monitoring (haveibeenpwned/third‑party, threat intel, EDR/XDR) to find corporate domains or VIP accounts in KDDI leaks; force resets and revoke sessions/tokens. If needed, consider dark web monitoring of exposed credentials to detect compromised accounts.
  • Block reuse and escalation. Enforce phishing‑resistant MFA (FIDO2/WebAuthn), non‑reusable passwords, and rules detecting password spraying and unusual API/OAuth activity.
  • Run a supplier control. Review security/notification clauses with critical email/ISP and SaaS providers; require access logs, secret rotation, quarterly reviews of connected apps, and a documented incident path (who notifies what within 24/72h), including extra‑EU cases.

Key takeaway

Credentials stolen outside the EU can still trigger your GDPR compliance obligations and risk management duties under NIS 2. Strengthen MFA, integration oversight, and detection of credential reuse attempts.

Article generated by Luxgap regulatory watch. For tailored guidance on this topic, contact us.

LUXGAP NEWSLETTER

Get our analyses the moment they drop.

GDPR, NIS 2, AI expertise articles, plus invitations to free webinars + trainings at Luxgap. 1 to 2 emails per week max, one-click unsubscribe.

Your data is never shared. GDPR-compliant (we're DPOs after all).

A question on this topic?

Our team usually replies within one business day. Configure your quote or write to us.

Build my quote →