In Q1 2026, 7 User Accounts Leaked Every Minute in Japan
Surfshark's analysis shows that Japan ranked 18th globally for data breaches in Q1 2026, with nearly 1 million accounts leaked. The rapid expansion of AI in businesses is identified as a key factor increasing data risks.
📋 Article Processing Timeline
- 📰 Published: April 28, 2026 at 17:00
- 🔍 Collected: April 28, 2026 at 08:31
- 🤖 AI Analyzed: April 28, 2026 at 08:34 (2 min after Collected)
According to Surfshark's quarterly analysis of global data breaches, Japan ranked 18th among 250 countries with the most victims in the first quarter of 2026, with approximately 1 million (937,800) user accounts leaked. It was also revealed that 7 user accounts were leaked every minute in Japan during this period.
Japanese Statistics
Since 2004, 139.8 million user accounts have been compromised in Japan, the second-highest level in East Asia after China.
Furthermore, 41.8 million email addresses have been leaked in Japan. Among the leaked data, passwords (103.2 million) and password hashes (18.4 million) are particularly common.
Moreover, the scope of leaks extends to more sensitive personal information, including Individual Numbers (My Number) (14,300), financial information such as credit card numbers (2,600), and contact information like phone numbers (3.6 million) and addresses (2.9 million).
Leaked Data Values Last Even After 10 or 20 Years
The number of global data breaches in Q1 2026 increased approximately threefold compared to the same period in 2025 and rose by 22% compared to the previous quarter (Q4 2025).
A noteworthy point is the rapid expansion of AI utilization in companies. In 2025, 20.2% of companies were using AI, a significant increase from 8.7% in 2023. While the adoption rate has more than doubled in the last two years, is there a link between the acceleration of AI adoption and the increase in data breaches?
Tomas Stamulis, Chief Security Officer at Surfshark, points out that as companies proceed with AI adoption, the amount of user data they hold increases, and the digital systems and integrated platforms they use expand.
He states: "AI-powered systems collect and record more detailed user information for automation, analysis, and model improvement. While this improves operational efficiency, it also increases the number of systems a company must protect, the likelihood of errors, and the risk of leaking sensitive information like credentials and personal data. Consequently, for attackers, the targets for intrusion and attacks are becoming broader and more complex."
In an environment where data leakage is becoming a daily risk, Stamulis also expresses concern about companies' attitudes of requiring account creation and personal information entry even when it's not essential for online purchases.
Furthermore, he expresses concern: "For users, a data breach is not a one-time issue. Even if you change your email address or password, it doesn't end there. Once leaked, personal information remains on the internet and is reused by attackers. It gets compiled into what are called 'combo lists' or combined with new leaked data and repeatedly traded. In other words, even 10 or 20 years later, leaked data continues to hold value and can be misused for unauthorized access, fraud, further information exploitation, and financial damage."
Finally, he calls for the following basic measures regarding the handling of personal information in the AI era:
1. Provide personal information like email addresses, phone numbers, and addresses only in truly necessary situations, such as official procedures.
2. In other cases, use alternatives like secondary emails or email masking.
3. Do not enter personal information unnecessarily where it's not required.
Detailed data regarding Japan can be found here: https://surfshark.com/research/data-breach-monitoring?country=jp
Methodology and Data Sources
Surfshark's 'Data Breach World Map' is a study launched in 2020 and updated quarterly since then. The latest data for Q1 2026 was updated in April 2026.
This project was developed with the cooperation of independent cybersecurity researchers and aims to visualize the scale and impact of data breaches worldwide. Unlike many traditional data breach reports, this map clearly shows which countries' users are particularly affected.
The data for this study is aggregated by email address unit based on 29,000 public databases collected by independent partners. Subsequently, the data is anonymized.
Japanese Statistics
Since 2004, 139.8 million user accounts have been compromised in Japan, the second-highest level in East Asia after China.
Furthermore, 41.8 million email addresses have been leaked in Japan. Among the leaked data, passwords (103.2 million) and password hashes (18.4 million) are particularly common.
Moreover, the scope of leaks extends to more sensitive personal information, including Individual Numbers (My Number) (14,300), financial information such as credit card numbers (2,600), and contact information like phone numbers (3.6 million) and addresses (2.9 million).
Leaked Data Values Last Even After 10 or 20 Years
The number of global data breaches in Q1 2026 increased approximately threefold compared to the same period in 2025 and rose by 22% compared to the previous quarter (Q4 2025).
A noteworthy point is the rapid expansion of AI utilization in companies. In 2025, 20.2% of companies were using AI, a significant increase from 8.7% in 2023. While the adoption rate has more than doubled in the last two years, is there a link between the acceleration of AI adoption and the increase in data breaches?
Tomas Stamulis, Chief Security Officer at Surfshark, points out that as companies proceed with AI adoption, the amount of user data they hold increases, and the digital systems and integrated platforms they use expand.
He states: "AI-powered systems collect and record more detailed user information for automation, analysis, and model improvement. While this improves operational efficiency, it also increases the number of systems a company must protect, the likelihood of errors, and the risk of leaking sensitive information like credentials and personal data. Consequently, for attackers, the targets for intrusion and attacks are becoming broader and more complex."
In an environment where data leakage is becoming a daily risk, Stamulis also expresses concern about companies' attitudes of requiring account creation and personal information entry even when it's not essential for online purchases.
Furthermore, he expresses concern: "For users, a data breach is not a one-time issue. Even if you change your email address or password, it doesn't end there. Once leaked, personal information remains on the internet and is reused by attackers. It gets compiled into what are called 'combo lists' or combined with new leaked data and repeatedly traded. In other words, even 10 or 20 years later, leaked data continues to hold value and can be misused for unauthorized access, fraud, further information exploitation, and financial damage."
Finally, he calls for the following basic measures regarding the handling of personal information in the AI era:
1. Provide personal information like email addresses, phone numbers, and addresses only in truly necessary situations, such as official procedures.
2. In other cases, use alternatives like secondary emails or email masking.
3. Do not enter personal information unnecessarily where it's not required.
Detailed data regarding Japan can be found here: https://surfshark.com/research/data-breach-monitoring?country=jp
Methodology and Data Sources
Surfshark's 'Data Breach World Map' is a study launched in 2020 and updated quarterly since then. The latest data for Q1 2026 was updated in April 2026.
This project was developed with the cooperation of independent cybersecurity researchers and aims to visualize the scale and impact of data breaches worldwide. Unlike many traditional data breach reports, this map clearly shows which countries' users are particularly affected.
The data for this study is aggregated by email address unit based on 29,000 public databases collected by independent partners. Subsequently, the data is anonymized.