It has now been determined that, due to unauthorized access from outside the university, it is highly likely that user email addresses and passwords associated with the Shonan Fujisawa Campus (SFC) SFC-CNS email service*1 have been compromised. To prevent further unauthorized access, the university initiated a mandatory reset of email service passwords on December 23, followed by a mandatory reset of account login passwords on December 25. The university will continue to take necessary actions to address the situation, giving priority to those of the highest urgency.
We sincerely apologize for the significant inconvenience and concern this has caused to all those affected.
■ Incident overview
On November 26, 2025, suspicious activity was detected from the spam quarantine server*2 of the SFC email system. On the same day, the university blocked the entry point and shared information about the incident with Cisco Systems, LLC, the manufacturer of the server used for spam quarantine. On December 18, following further investigation, it was determined that unauthorized access had likely been achieved by exploiting an unknown vulnerability in the server’s software, commonly referred to as a “zero-day attack.”*3
As the investigation continued, it was determined on December 22 that data, including personal information, may have been leaked to external parties from the directory server*4 referenced by the spam quarantine server. At present, there have been no confirmed cases of secondary harm resulting from the malicious use of potentially compromised passwords or other information. This incident has been reported to both the relevant government agencies and the police as appropriate.
■ Precautions and requests
As a result of this incident, there is a possibility that phishing emails, spam, or other secondary harm may occur. If you receive any suspicious emails, please exercise caution and avoid clicking on any links.
Additionally, if you are using any passwords that may have been compromised in this incident for other websites or services, please change them immediately to prevent any secondary harm, such as unauthorized logins.
■ Information that may have been involved in the data breach
The following data is currently thought to have been potentially compromised by unauthorized access to the SFC-CNS email service.
●Data that was almost certainly compromised: information stored on the directory server
►A total of 6,447 SFC-CNS accounts, including those of current users (students, faculty, staff, and others), September 2025 graduates, and users whose accounts were suspended after August 28, 2025.
◆Email addresses
◆Hash*5 of account login passwords
◆Email passwords (plain text)
◆Wi-Fi passwords (reversible encryption)*6
◆Full names (in kanji)
◆Full names (in Roman alphabet)
◆Student, faculty, or staff ID numbers Forwarding email addresses
►Other data used in the system 1,025 users who graduated in March 2025 (this does not include names, passwords, or other sensitive information).
◆Email addresses
●Data that was potentially compromised: information stored on the spam quarantine server
►Emails on the quarantine server (mostly spam): up to 222,508 messages (984 email addresses using the quarantine service)
►Email addresses and domains on the safe list/block list*7: Up to 1,613 (1,102 excluding duplicates)
However, considering the volume of data that was transferred, it is considered unlikely that a large amount of information leaked from the spam quarantine server.
If you have any questions regarding this incident, please contact the email listed below. (Inquiries regarding this incident)
Keio University Unauthorized Access Incident Point of Contact:
m-contact@adst.keio.ac.jp
Glossary:
*1 SFC-CNS email service: The email platform hosted on the distinct “Shonan Fujisawa Campus—Campus Network System” for students, faculty, and staff members at SFC.
*2 Spam quarantine server: A server used to store emails that have been automatically classified as spam for a set period, to allow for their recovery in case of errors.
*3 Zero-day attack: An attack that exploits a software vulnerability before information about the vulnerability or any countermeasures or patches have been made public.
*4 Directory server: A server that serves as a “collective phonebook,” collecting information about users and devices on a network in a hierarchical structure and providing centralized authentication and management.
*5 Hash: A method of converting data into a completely different form according to specific rules: Once executed, recovery of the original data is rendered infeasible. (For passwords, it is infeasible to decipher the original password even if the hashed data is available.)
*6 Reversible encryption: A specific “key” is used to encrypt data. The key can be used to recover the original data. (For passwords, it is less secure than hashing because if the system key used by the system becomes compromised, all passwords can be decrypted. It may be chosen in cases where authentication using hashing is infeasible.)
*7 Safe list / block list: Refers to a “list in which all emails from specified addresses or domains are accepted” and a “list in which all emails from specified addresses or domains are rejected,” respectively.
