KDDI¡¯s email system for internet service providers has been breached, the company said Tuesday, with up to 14.22 million sets of email addresses and passwords possibly leaked.

The affected service providers include STNet, JCOM, Chubu Telecommunications, Nifty, Biglobe and KDDI Web Communications.

KDDI said it confirmed the cyberattack on June 17 and has implemented protective measures.

The cyberattack exploited vulnerabilities in third-party software used in the email system, according to KDDI.

The company said it would?work with the affected internet service providers to urge users to change their passwords, while continuing to investigate the extent of the damage.

Cases of personal information breaches reported by listed companies and their subsidiaries in Japan totaled 180 in 2025, resulting in information on some 30.6 million people being leaked, according to Tokyo Shoko Research.

More than 60% of the cases were caused by unauthorized access or computer virus infections, it said. Unauthorized access to companies¡¯ servers can lead to a large-scale information breach as a massive amount of data can be leaked in a matter of seconds.

Cases of malware attacks are on the rise, with Japanese police having confirmed 226 cases of damage from ransomware attacks last year, the second-highest annual total.

The number of ransomware attacks, in which perpetrators use a computer virus to encrypt data and demand payment to restore access, rose by four from the previous year.

Although some 60% of the victims of ransomware attacks were small and midsize companies, there were cases in which serious damage was inflicted on large companies, such as food and beverage giant Asahi Group Holdings and office and household goods supplier Askul.

A ransomware attack at Asahi Group last September led to 115,513 sets of personal data being leaked.

The cyberattack also caused a system glitch that forced Asahi Group to suspend production and shipments at most of its domestic plants and process orders manually. It took the group more than six months to resume shipments of all its products.

Askul said in December that a ransomware cyberattack discovered in October led to about 740,000 sets of data concerning its individual customers, corporate clients and employees being leaked.