You have got to be KDDI-ng – Japanese telco exposes 14.2 million managed email credentials

Cyber-Crime

Five ISPs and plenty of users await their fate

Japanese telco KDDI has messed up by allowing an attacker to access systems powering an email service it manages for itself and other local ISPs, and which stores info on up to 14.2 million users.The company yesterday posted a confession [PDF] that it detected unauthorized access to the email system it offers to third-party customers on June 17th.Machine translation of the confession suggests that KDDI investigated the situation and found attackers exploited a vulnerability in third-party software used on the email service, without claiming that vuln was a zero-day it had no chance of defending or an explanation of why it was running vulnerable software.

There’s some good news because KDDI was able to prevent further intrusion on the same day it noticed the attack, and says it has bolstered its defences to prevent future intrusions.

But the carrier also fears that up to 14.2 million email addresses and passwords may have leaked and therefore warned that third parties may have obtained personal data. Thankfully, the company had hashed and encrypted the passwords – so users only have to fear phishing and identity theft, instead of something nastier.