Kaikatsu Club Hacked: 7.29 Million Member Data Exposed
March 6, 2025
In January 2025, Kaikatsu Club suffered a massive cyber attack, exposing up to 7.29 million members' records. Discover the full story on the breach, its impact, and the steps taken to prevent future attacks.
- Incident
- MITRE ATT&CK Analysis
- Reference
Table of Contents
Incident
In January 2025, it was revealed that Kaikatsu Club—a shared space operated by Kaikatsu Frontier Inc.—had been illegally accessed by an external party, potentially resulting in the leakage of up to 7.29 million members' data.
Outline of the Unauthorized Access
On the evening of January 18, unauthorized activity was detected on the company’s server. Immediate measures were taken, including disconnecting the server from the network. Subsequent investigations, conducted with the guidance of external security experts, confirmed unauthorized access to the system managing member accounts, and it appears that a portion of personal information may have been leaked.
Scope of Potential Data Leakage
Affected Groups:
- Kaikatsu Club Members: Individuals who joined between October 1, 2015, and January 20, 2025
- Kaikatsu Club Provisional Members: Select individuals who joined between March 25, 2019, and January 20, 2025
- FiT24 Members and FiT24 Indoor Golf Members: Select individuals who joined between October 30, 2018, and April 1, 2023
Leaked Information May Include:
- First name and last name
- Gender
- ZIP code and address
- Phone number
- Date of birth
- Membership number, type, and status
- Latest points balance and expiration date
- Store code
- Last checkout date and time
- Barcode
- Push notification preferences
- Coupon messages
Please note: Identification details (such as driver’s license numbers), credit card information, email addresses, and member application passwords were not part of the leaked registration data.
Countermeasures and Recurrence Prevention
Immediately following the detection of unauthorized access, the company, in collaboration with its parent company AOKI Holdings, Inc., took steps to mitigate the impact, including reinforcing measures to block unauthorized communications. A dedicated task force was established, and consultations with law enforcement and reports to the Personal Information Protection Committee were made to determine the cause and assess the full extent of the breach. Moving forward, the company is committed to enhancing its security systems and network monitoring protocols to prevent a recurrence.
Impact on Members and Company Response
Affected individuals are being notified, with the process expected to be completed by late March 2025. At this time, there has been no confirmation of further misuse or secondary damage resulting from the breach. Additionally, the company has not planned any individual compensation for those affected.
Conclusion
This unauthorized access incident, which may have resulted in a significant data leak, has understandably raised concerns among users. While the company is actively working to bolster its security measures and prevent future breaches, it is also crucial for users to remain vigilant in managing their personal information.
MITRE ATT&CK Analysis
| Tactic | Technique (Example) | Description | Evidence/Considerations in the Kaikatsu Club Case | ||
|---|---|---|---|---|---|
| Initial Access | T1190 (Exploitation of Public-Facing Application) or T1566 (Phishing) | Attackers may gain entry by exploiting vulnerable web interfaces or leveraging phishing techniques. | Unauthorized access was detected on January 18, with the exact entry vector not disclosed—suggesting attackers targeted a vulnerable system component. | ||
| Execution | T1059 (Command and Scripting Interpreter) | Malicious code is executed to compromise the system, often using scripting languages such as PowerShell. | Evidence indicates that unauthorized commands were executed on the server managing member accounts, likely as part of the breach process. | ||
| Persistence | T1543 (Create or Modify System Process) | Attackers may establish persistence by altering system services or installing backdoors to retain access over time. | Immediate disconnection of the server limited any prolonged presence, though the possibility of persistence measures cannot be ruled out without further investigation. | ||
| Privilege Escalation | T1068 (Exploitation for Privilege Escalation) | Attackers attempt to gain higher-level permissions to access more sensitive areas of the system. | The breach involving the account management system implies that attackers may have escalated privileges, even if specific methods were not disclosed. | ||
| Defense Evasion | T1562 (Disable or Modify Tools) | Techniques used to bypass or disable security monitoring tools and logs to delay detection. | Although no explicit evidence was provided, the attackers likely employed evasion tactics prior to detection on January 18. | ||
| Credential Access | T1555 (Credential Dumping) or T1078 (Valid Accounts) | Unauthorized acquisition or abuse of credentials to move within the system or access restricted information. | Access to the member account system suggests that either credentials were compromised or valid accounts were abused, though details remain limited. | ||
| Discovery | T1083 (File and Directory Discovery) | Scanning the system to identify critical files and databases containing sensitive data. | The targeting of member data (7.29 million records) indicates that attackers conducted internal discovery to locate and aggregate sensitive information. | ||
| Lateral Movement | T1021 (Remote Services, e.g., RDP) | Moving from the initially compromised system to other network segments to broaden the breach. | There is no direct evidence of lateral movement; however, if additional systems were targeted, similar techniques may have been used. | ||
| Collection | T1560 (Archive Collected Data) | Aggregating and compressing targeted data in preparation for exfiltration. | The potential collection of 7.29 million member records implies systematic aggregation of sensitive data prior to any attempted exfiltration. | ||
| Exfiltration | T1041 (Exfiltration Over C2 Channel) | Transferring collected data out of the network via an established command-and-control channel. | While definitive exfiltration was not confirmed, the possibility of data leakage exists given the volume of sensitive records involved. | ||
| Impact | T1499 (Endpoint Denial of Service) | Disrupting system availability through methods like DDoS attacks to affect business operations. | A concurrent DDoS attack on the Kaikatsu CLUB app limited its functionality, further impacting the user experience and overall service availability. | ||
Reference
-
🇯🇵🔓Japan Data Breach Cases 2025 | Major Data Leaks, Cyber Attacks, and Countermeasures
-
1Japan’s Innovation Agency Hacked – 7,600 Records Leaked – Maybe They Should Innovate a Firewall?
-
2Ransomware Knocks Out Japanese Clinic – 300,000 Patient Records Exposed
-
3Unauthorized Access to Hands Club App by Hands Co., Ltd.: Japan Data Breach Case 2025
-
4Kaikatsu Club Hacked: 7.29 Million Member Data Exposed
-
5ZACROS Ransomware Nightmare: 157K Personal Records Exposed in Major Data Breach
-
6ISEKI Hokkaido Ransomware Scare: 53.6K Personal Records at Risk in Cyber Attack
-
7Sankei Lingerie Data Breach: Up to 292K Records, Including 71K Credit Cards, Exposed in Major Mail-Order Hack
-
8NTT Communications Data Breach: Over 17,000 Corporate Clients Affected in Major Security Incident
