Top of Page
- Links to move inside this page.
- HOME
- About IIJ
- News / CSR
- Press Releases
- 2025
- Notice and Apology Regarding the Breach of Customer Information in "IIJ Secure MX Service"
Notice and Apology Regarding the Breach of Customer Information in "IIJ Secure MX Service"
[English Translation]
April 22, 2025
Internet Initiative Japan Inc.
TOKYO - April 22, 2025 - Internet Initiative Japan Inc. (IIJ, TSE Prime: 3774) today announced that following the disclosure on April 15, 2025, of an incident involving unauthorized access to our enterprise email service "IIJ Secure MX Service" (hereinafter referred to as the "Initial Report"), we are now providing an update based on the results of our subsequent investigation.
(Note) As for the Initial Report, please refer to the following press release titled "Notice Regarding the Breach of Customer Information in "IIJ Secure MX Service" which was announced on April 15, 2025
https://www.iij.ad.jp/en/news/pressrelease/2025/0415.html
We sincerely apologize for the great inconvenience and concern we are causing our customers and all other related parties. We would like to express our deepest apologies once again.
Number of customer contracts confirmed as affected by the breach
Of all customer contracts for "IIJ Secure MX Service" that were reported in the Initial Report as potentially affected by the breach, the number of contracts for which an actual breach has been confirmed is as follows.
Breach of email accounts and passwords created within the affected service
Number of affected customer contracts: 132 contracts
(Note1) For part of these customer contracts, only the breach of email accounts has been confirmed.
(Note2) Out of the 4,072,650 email accounts that were identified in the Initial Report as potentially affected by the breach, 311,288 email accounts have been confirmed as affected.
Breach of email's contents and header information transmitted and received through the affected service
Number of affected customer contracts: 6 contracts
Breach of authentication credentials for third-party cloud services that were configured to operate in conjunction with the affected service
Number of affected customer contracts: 488 contracts
The number of contracts, excluding duplicates, from the total number of contracts for the three items above is 586 contracts.
Notification to the affected customers
Customers who currently have contracts with us are being informed by our sales representatives. Additionally, those responsible for the operation and management of the affected service can check the notification through the "IIJ Service Online."
For customers who no longer have contracts with us but have previously used the service, please contact us through the inquiry form below if you have any questions or concerns.
Inquiry form
Please contact through the inquiry form if you have any questions or concerns.
Dedicated customer support form for security incidents (Japanese only)
Cause of the unauthorized access
The cause of the unauthorized access in this incident was due to a vulnerability in a third party's software used for "IIJ Secure MX Service." This vulnerability had not been discovered during the period between the occurrence and detection of the unauthorized access, and it was identified for the first time because of this incident. Afterward, the software vendor completed the necessary remediation, and on April 18, information about the vulnerability was publicly disclosed as a high-priority issue on JVN (Japan Vulnerability Notes).
Exploited Vulnerability
JVN#22348866:Active! mail vulnerable to stack-based buffer overflow Critical
(Note) JVN (Japan Vulnerability Notes): It is a vulnerability information portal site designed to help ensure Internet security by providing vulnerability information and their solutions for software products used in Japan. Under the "Information Security Early Warning Partnership," the JVN has been operated jointly by the JPCERT Coordination Center and the Information-technology Promotion Agency (IPA) since July 2004.
The software which was used for the optional features of "IIJ Secure MX Service," is no longer in use, as these functionalities were discontinued in February 2025.
Future actions
Currently, we are reviewing and strengthening security measures and monitoring systems to prevent recurrence. We are also continuing to work closely with relevant institutions to address the situation. Should any new information requiring disclosure be identified, we will promptly provide updates.
About IIJ
Founded in 1992, IIJ is one of Japan's leading Internet-access and comprehensive network solutions providers. IIJ and its group companies provide total network solutions that mainly cater to high-end corporate customers. IIJ's services include high-quality Internet connectivity services, systems integration, cloud computing services, security services and mobile services. Moreover, IIJ has built one of the largest Internet backbone networks in Japan that is connected to the United States, the United Kingdom and Asia. IIJ was listed on the Prime Market of the Tokyo Stock Exchange in 2022.
- For more information about IIJ, visit the IIJ Web site at https://www.iij.ad.jp/en/.
The statements within this release contain forward-looking statements about our future plans that involve risk and uncertainty. These statements may differ materially from actual future events or results.
- For inquiries, contact
-
IIJ Corporate Communications
+81-3-5205-6310 
+81-3-5205-6377 
press@iij.ad.jp
- (*)All company, product, and service names used in this press release are the trademarks or registered trademarks of their respective owners.
- Related Contents
End of the page.