Japanese telecommunications giant KDDI announced on June 23, 2026, that its email system infrastructure suffered a major security breach, potentially compromising up to 14.22 million email addresses and passwords. The incident affects users of multiple internet service providers who rely on KDDI's backend systems, raising serious concerns for both Japanese residents and foreign nationals living in Japan. According to NHK, the breach occurred when unauthorized parties gained access to an email system that KDDI provides to partner companies. The compromised data includes user email addresses and passwords, representing one of the largest data breaches in recent Japanese corporate history. KDDI has urged all potentially affected users to change their passwords immediately as a precautionary measure. The breach impacts customers of six major internet service providers that utilize KDDI's email infrastructure, including well-known companies such as Nifty and Biglobe, as reported by Livedoor News. These providers serve millions of users across Japan, including a significant number of foreign residents who rely on these services for personal and professional communication. For expats living in Japan, this breach carries particular significance. Many foreign residents use email services from Nifty, Biglobe, or other affected providers as their primary communication channels for banking, visa applications, employment correspondence, and maintaining connections with home countries. The exposure of both email addresses and passwords creates a serious security vulnerability that could lead to identity theft, unauthorized access to linked accounts, and potential financial fraud. Security experts warn that compromised email credentials can provide cybercriminals with a gateway to other services. Many people use the same password across multiple platforms, meaning hackers could potentially access banking apps, social media accounts, online shopping platforms, and other sensitive services. This is particularly concerning for foreign residents who may have accounts spanning multiple countries and jurisdictions. KDDI has not disclosed specific details about how the breach occurred or when the unauthorized access first began. The company is currently investigating the incident and working to strengthen its security measures. However, the lack of detailed information about the breach timeline means users cannot be certain how long their credentials may have been exposed or what actions unauthorized parties may have already taken. Immediately affected users should take several critical steps to protect themselves. First, change passwords for all email accounts associated with Nifty, Biglobe, or other KDDI-affiliated providers. Second, enable two-factor authentication wherever possible to add an additional layer of security. Third, change passwords for any other accounts that used the same password as the compromised email account, including banking, shopping, and social media platforms. Expats should also monitor their accounts closely for any suspicious activity. This includes checking bank statements for unauthorized transactions, reviewing email sent folders for messages you didn't send, and watching for password reset requests on other services. If you notice any unusual activity, report it immediately to the relevant service provider and consider filing a report with local police. The incident highlights the ongoing cybersecurity challenges facing Japan's technology sector and underscores the importance of robust digital security practices. For foreign residents navigating life in Japan, this breach serves as a stark reminder to maintain strong, unique passwords for different services, regularly update security settings, and stay informed about potential vulnerabilities in commonly used platforms. KDDI has established channels for affected users to obtain more information, though details were limited at the time of the announcement. Users of potentially affected email services should contact their providers directly for specific guidance and confirmation of whether their accounts were compromised in this breach.