Teen Hacker Extracts Personal Data of 7M Japanese Internet Café Users, Arrested in Osaka
What Happened – On 4 Dec 2025 a 17‑year‑old in Osaka ran malicious code that harvested personal information from more than 7 million customers of Kaikatsu Club, Japan’s largest internet‑café chain. The suspect was later detained under the Unauthorized Access Prohibition Act.
Why It Matters for TPRM –
- Large‑scale personal‑data exposure from a third‑party consumer‑facing service can cascade to downstream vendors that store or process that data.
- Youth‑driven, AI‑assisted tooling lowers the barrier for mass data theft, increasing the frequency of similar attacks across the supply chain.
- Regulatory penalties and brand damage can extend to partners that rely on the compromised service for authentication or payment processing.
Who Is Affected – Retail & consumer‑service providers, SaaS platforms that integrate Kaikatsu Club login APIs, payment processors, and any downstream partners handling the exposed user data.
Recommended Actions –
- Review contracts and data‑flow diagrams for any reliance on Kaikatsu Club services.
- Verify that any shared credentials or API keys have been rotated and that MFA is enforced.
- Conduct a risk assessment for downstream data‑processing activities and update incident‑response playbooks.
Technical Notes – The attacker deployed custom malicious scripts (likely leveraging publicly available AI code‑generation tools) to scrape user profiles via unsecured endpoints. No specific CVE was cited; the breach stemmed from inadequate input validation and lack of rate‑limiting. Exfiltrated data included names, email addresses, phone numbers, and usage logs. Source: The Hacker News