Notice Regarding the Breach of Customer Information in "IIJ Secure MX Service"

[English Translation]

PDF [178KB] / Japanese

TOKYO - April 15, 2025 - Internet Initiative Japan Inc. (IIJ, TSE Prime: 3774), has confirmed on April 10, 2025, the possibility that part of customer information may have been externally breached in connection with "IIJ Secure MX Service", our email security service for enterprises, as outlined below. If you have used the affected service and have any questions or concerns, please do not hesitate to contact through inquiry form listed below. We sincerely apologize for the inconvenience and concern this incident may have caused.

Details of the information breach

We confirmed, on April 10, 2025, the fact that unauthorized access to the service infrastructure of "IIJ Secure MX Service" occurred on or after August 3, 2024, during which a malicious program was found to have been executed. Consequently, there is a possibility that email communications and authentication information related to the service may have been exposed. Following the confirmation of a potential information breach, we identified the route of the unauthorized access and implemented appropriate isolation measures. The service is now operating securely. We are continuing to investigate the root cause and the extent of the impact.

Number of customers whose information may have been breached

Up to 6,493 contracts and 4,072,650 email accounts (all customers of "IIJ Secure MX Service")

(Note) Customers who had already ceased using the service at the time of the unauthorized access are also included.

Potentially breached information

The types of information that may have been breached vary depending on the customer's contract details and the features used. Our sales representatives are providing individual guidance to each affected customer.

• Email accounts and passwords created within the affected service
• Content and header information of emails sent and received via the affected service
• Authentication information for third-party cloud services that were configured to work in conjunction with the affected service

(Note) From the above information, those related to the features in use.

For contracts that had been terminated as of August 3, 2024, the following information is applicable:

• Email accounts created within the affected service
• Authentication information for third-party cloud services that were configured to work in conjunction with the affected service

(Note) From the above information, those related to the features in use.

We are notifying customers regarding all contracts and associated information for which the possibility of information breach cannot be ruled out.

Notification to affected customers

We are currently notifying customers who have an active contract with us and may have been impacted by this incident. In addition, the personnel responsible for the operation and management of the service can confirm the notification through "IIJ Service Online."

If you no longer have an active contract with us but have previously used the affected service, we kindly ask that you contact through the inquiry form listed below should you have any questions or concerns.

Inquiry form

For any inquiries, please contact our inquiry desk as outlined below.

Dedicated customer support form for security incidents (Japanese only)

• https://biz.iij.jp/public/application/add/39186

We are currently cooperating with relevant organizations to address the situation, and will promptly disclose new information as it becomes available.

The statements within this release contain forward-looking statements about our future plans that involve risk and uncertainty. These statements may differ materially from actual future events or results.

For inquiries, contact

IIJ Corporate Communications

• +81-3-5205-6310
• +81-3-5205-6377
• press@iij.ad.jp

• (*)All company, product, and service names used in this press release are the trademarks or registered trademarks of their respective owners.