14 Million Email Passwords May Be Loose After KDDI Breach

That detail matters more than it looks. The hole was not in KDDI core network or in some exotic custom build. It was in software KDDI bought and plugged in, the kind of dependency almost every large provider relies on. One weak link in that chain, and the door opened.

The company is blunt about the risk that remains. Even with defenses now in place, KDDI warns there is a real possibility that customer email addresses and passwords were obtained by unauthorized third parties.

Why 14.2 million is the scary number

KDDI is not a small player. It runs on roughly 45,000 employees and pulls in about $32.4 billion in annual revenue, and it has operated since 2000, formed from the merger of IDO, DDI, and KDD, Japan former state monopoly for international telecom. When an operator at that scale shares one email backend across six ISPs, a single breach does not stay contained to one brand.

The exposure figure of up to 14.22 million includes current customers, former customers, and inactive accounts that may not even be in use anymore. That last group is the quiet danger. People abandon an old ISP email but keep using that same password elsewhere, and they never think about it again.

So what does this actually mean for you? If you ever held an account with any of the six affected providers, even years ago, your old credentials could be in someone else hands right now.

Hashed, encrypted, or plaintext, and why the difference is everything

KDDI offered one piece of cautious reassurance: some passwords were stored in hashed or encrypted form, which means they cannot be readily abused to hijack accounts even if exposed.

But read that sentence carefully. Some. Not all.

KDDI did not specify what type of encryption was used, and it did not say what percentage of accounts had passwords stored in plaintext. Those two gaps turn a partial reassurance into a real warning.

If any portion of those 14.2 million passwords was stored in plaintext, attackers do not need to crack anything. They can simply read the password and log straight in. Until KDDI publishes the breakdown, assume yours was one of them.

This is the difference between a breach you can shrug off and one you have to act on. A strongly hashed password buys you time. A plaintext password buys you nothing.

The real reason ISP email breaches hurt more

A leaked password from a random forum is annoying. A leaked ISP email login is dangerous, and here is why.

Your primary email is the master key to your digital life. It is where password reset links land. Compromise the inbox and an attacker can walk through it to your banking, your shopping, your social accounts, one reset at a time.

• Password reuse multiplies the damage. If you used your ISP email password anywhere else, every one of those accounts is now exposed too.
• Inactive accounts are blind spots. Nobody monitors an inbox they stopped checking, so a takeover can go unnoticed for months.
• Phishing gets personal. Attackers who know your real provider and email can craft messages that look exactly like official ISP notices, asking you to log in and verify.

What to do tonight, in order

Do not wait for KDDI to finish its investigation. By the time the final account count lands, any exposed password has already been in circulation for weeks. Run this checklist now.

1. Change the affected email password immediately. Make it long, unique, and used nowhere else.
2. Change it everywhere you reused it. This is the single most important step if you are a password reuser, and most people are.
3. Turn on two-factor authentication on the email account and on anything valuable linked to it. Even a stolen password fails without the second factor.
4. Watch for targeted phishing. Treat any email claiming to be from your provider and asking you to log in as suspect. Go to the site directly instead of clicking.
5. Check breach databases. Search your address on reputable have-i-been-pwned style services and set up alerts so you know the moment it shows up again.

What happens next (24 to 72 hours)

Expect KDDI to keep updating its disclosure as the investigation continues, including a firmer count of affected accounts and, hopefully, the plaintext-versus-encrypted breakdown it has so far withheld. Watch for the affected ISPs to push forced password resets and email notices to customers, which is exactly the moment phishing crews will impersonate those same notices.

The lesson runs deeper than one carrier. A third-party software flaw took down email for six providers simultaneously, a reminder that your security is only as strong as the weakest vendor in your provider supply chain. You cannot patch their software. You can make sure that when their software fails, your reused password is not the thing that sinks you.

Source: BleepingComputer