IIJ Confirms Major Data Breach: Over 311k Email Accounts and 488 Cloud Admin Credentials Leaked

Internet Initiative Japan (IIJ) has provided concrete figures detailing the customer information compromised in a data breach impacting their IIJ Secure MX Service. The announcement, made on April 22, 2025, clarifies the actual scale of the breach initially reported on April 15.

The leak involved three specific types of customer data:

What Information Was Compromised?

• Email accounts and passwords created for users of the IIJ Secure MX Service.
• The body and header information of emails sent and received through the service.
• Administrator authentication credentials for third-party cloud services that users had configured to link with the IIJ Secure MX Service.

Quantifying the Impact

The newly released figures paint a clearer picture of the incident’s reach:

Email Accounts and Passwords Leak

Details for a significant number of IIJ Secure MX Service email accounts were exposed. IIJ confirmed that 311,288 email accounts belonging to 132 contracts were compromised. Among these, some accounts also had their corresponding passwords leaked. This updated count refines the initial estimate from April 15, which suggested a potential exposure affecting up to 6,493 contracts and 4,072,650 accounts. The latest disclosure confirms the specific subset of accounts that were actually impacted.

Compromised Email Content

The leak involving the content of emails was comparatively smaller. This affected 24 email accounts across 6 contracts, with a total of 32 emails confirmed to have been leaked, including both their body content and header information.

Leaked Linked Cloud Service Credentials

A critical part of the breach involves the administrative credentials for third-party cloud services integrated with the IIJ Secure MX Service. IIJ reported that 488 sets of administrator authentication information were leaked, corresponding to 488 separate contracts. An IIJ spokesperson explained that the IIJ Secure MX Service supports integration with platforms such as Microsoft 365 and Google Workspace, typically allowing one administrator account per contract to be linked. The credentials for these 488 linked admin accounts were compromised.

Total Affected Contracts and the Cause

Combining all categories and excluding any overlaps, IIJ stated that the breach impacted a total of 586 contracts.

IIJ also formally acknowledged that the root cause of this security failure was a vulnerability found within the Active! mail webmail system. This system had been integrated into the IIJ Secure MX Service.

Understanding the Implications

This incident underscores the critical importance of robust security practices, particularly for services that handle sensitive data like email communications and system access credentials. The exposure of email accounts and passwords can lead to significant risks, including phishing attacks and unauthorized account takeovers. Even more concerning is the leak of administrator credentials for cloud services, which could potentially grant attackers extensive access to potentially critical corporate data and infrastructure residing within platforms like Microsoft 365 or Google Workspace.

Organizations relying on such integrated services must prioritize strong authentication methods, conduct regular security assessments, and ensure timely application of security patches for all software components, especially those integrated from third parties like the Active! mail system in this case. IIJ customers affected by this breach should immediately follow the guidance provided by the company, which typically includes mandatory password resets for impacted accounts and updating credentials for any linked third-party services. This breach serves as a stark reminder of the interconnectedness of services and the potential cascading effects of vulnerabilities in integrated components.