KDDI: 12.23M emails and 7.62M passwords compromised
On July 7, 2026, KDDI confirmed unauthorized access to ~12.233M emails and ~7.616M passwords from its ISP email platform—an emblematic supply chain case with lessons for European companies.
On July 7, 2026, KDDI confirmed unauthorized access to approximately 12,233,000 user email addresses and 7,616,000 passwords on its ISP email platform used by multiple Japanese partners. This highlights supply chain and credential reuse risks for European firms.
What happened
KDDI “confirmed” unauthorized access to email addresses (~12.233M) and passwords (~7.616M) for mail accounts managed for partner ISPs (J:COM, BIGLOBE, NIFTY, CTC, etc.). Initial signs appeared in mid‑June 2026; broad password resets followed. The initial upper estimate (up to 14.22M potentially affected identifiers) was refined on July 7, 2026.
Legal framework
For Luxembourg and the EU, an extra‑EU incident can still trigger obligations where it affects EU data subjects or exposes EU systems through credential reuse. Controllers must assess notification to the DPA within 72 hours (see the GDPR framework, incl. Article 33) and, where risk is high, inform data subjects (Article 34). Technical/organizational measures adequacy (Article 32) includes phishing‑resistant MFA, secret management, and access monitoring.
“Essential”/“important” entities under the NIS 2 Directive and its supply chain risk management requirements must cover account/Token security and oversight of email/SaaS providers, with sectoral notification timelines (early warning 24h, notification 72h, final report ~1 month as transposed).
Implications for Luxembourg organizations
- Domino effect via credential reuse. Millions of email/password pairs can fuel credential stuffing against OWA/M365/Google Workspace, VPNs, CRMs, HRIS, and customer portals—especially if partner corporate addresses are among the compromised accounts.
- Supply chain and integrations. OAuth/API token abuse and service accounts can bypass classic controls; treat email/ISP and SaaS providers as critical assets with continuous oversight.
- Reaction timelines and evidence. Anticipate GDPR notification (72h), log every action, and prepare clear, actionable messages to data subjects.
Concrete actions to take this week
- Map exposed credentials. Use your exposure monitoring (haveibeenpwned/third‑party, threat intel, EDR/XDR) to find corporate domains or VIP accounts in KDDI leaks; force resets and revoke sessions/tokens. If needed, consider dark web monitoring of exposed credentials to detect compromised accounts.
- Block reuse and escalation. Enforce phishing‑resistant MFA (FIDO2/WebAuthn), non‑reusable passwords, and rules detecting password spraying and unusual API/OAuth activity.
- Run a supplier control. Review security/notification clauses with critical email/ISP and SaaS providers; require access logs, secret rotation, quarterly reviews of connected apps, and a documented incident path (who notifies what within 24/72h), including extra‑EU cases.
Key takeaway
Credentials stolen outside the EU can still trigger your GDPR compliance obligations and risk management duties under NIS 2. Strengthen MFA, integration oversight, and detection of credential reuse attempts.
Article generated by Luxgap regulatory watch. For tailored guidance on this topic, contact us.
A question on this topic?
Our team usually replies within one business day. Configure your quote or write to us.
Build my quote →