Visual Arts, the company behind the legendary visual novel brand Key and titles such as Clannad, Air, and Kanon, has confirmed a major data breach that may have exposed thousands of records containing personal and corporate information.
In an official notice published on June 4, the company revealed that an unauthorized third party gained access to its systems, potentially extracting internal company data, customer information, employee records, business partner details, and even the master data for its recently released visual novel anemoi.
According to Visual Arts, the incident first came to light after the master data for anemoi was discovered on a foreign website on April 19, 2026. The game would officially launch several days later on April 24.
After investigating the leak, the company concluded that there is a high possibility that the attacker obtained credentials used for Visual Arts’ cloud storage systems. Using those credentials, the third party is believed to have accessed the storage environment where anemoi was kept and extracted not only the game’s master data but also additional information held by the company.
Visual Arts said it formally recognized the incident as a data breach resulting from unauthorized access and submitted a report to Japan’s Personal Information Protection Commission on May 11. The company added that it will continue providing reports and cooperating with relevant authorities as the investigation progresses.
What Information May Have Been Exposed?
isual Arts released a detailed breakdown of the information that may have been compromised. The largest category involves customer information. According to the company, approximately 6,017 customer records containing names, including handle names, and email addresses may have been exposed.
Another 2,626 customer records may include names, physical addresses, phone numbers, and email addresses.
The breach may also affect individuals and companies that have worked directly with Visual Arts.
The company disclosed that approximately 1,859 individual business partner records containing names, addresses, phone numbers, and email addresses may have been compromised.
An additional 484 records involving individual contract partners may also contain My Number identification information alongside names, addresses, phone numbers, and email addresses.
Corporate partner information was also listed among the potentially affected data. According to Visual Arts, approximately 1,452 corporate partner records containing names and email addresses may have been exposed.
The incident extends beyond customers and business partners.
Visual Arts stated that approximately 1,007 job applicant records may have been affected. These records may include names, addresses, phone numbers, email addresses, and birth dates.
Meanwhile, approximately 114 current and former employee records may also have been exposed. These records potentially include names, addresses, phone numbers, email addresses, birth dates, My Number identification information, and personally identifiable documents and images.
The company noted that the investigation remains ongoing and that both the number of affected records and the scope of the leak may change as more information becomes available.
No Confirmed Secondary Damage Yet
Despite the scale of the breach, Visual Arts says it has not confirmed any secondary damage beyond the leak of anemoi’s master data.
According to the company, there is currently no confirmed evidence that the exposed information has been further distributed, publicly disclosed, or abused. However, the company says it will continue monitoring the situation closely.
Visual Arts also stated that it will contact affected individuals and organizations directly whenever possible.
For people whose contact information is unavailable or for cases where individual notification is difficult, the company said the public notice serves as its primary method of informing affected parties.
Security Measures Already Underway
In response to the incident, Visual Arts says it has begun implementing several measures designed to prevent similar breaches from occurring again.
These measures include strengthening and revising credentials used across internal systems, reviewing access rights and permissions, and improving security management procedures.
The company also announced the creation of a 24-hour monitoring structure in cooperation with external security specialists. According to the notice, this system will monitor internal infrastructure and cloud services for suspicious access attempts and unusual activity.
Employee security awareness is also being addressed, with Visual Arts confirming that it will strengthen information security training throughout the company.
VA STORE Orders Temporarily Suspended
The breach has also affected Visual Arts’ official online storefront.
The company announced that new orders through VA STORE have been temporarily suspended while security reviews are carried out.
According to Visual Arts, because the store handles customer information, new orders will remain paused until the company can confirm that personal information can be processed safely under strengthened security measures.
The company said additional information regarding the resumption of services will be announced once the necessary improvements and training programs have been completed.
Visual Arts Apologizes as Investigation Continues
In its statement, Visual Arts issued a formal apology to customers, business partners, applicants, employees, and all potentially affected parties.
The company acknowledged the concern and inconvenience caused by the incident and stated that it intends to dedicate all available resources toward investigating the breach, strengthening its security systems, and rebuilding trust.
The company also established a dedicated contact point for inquiries related to the breach while continuing its investigation into the full scope of the incident.
For now, Visual Arts maintains that the leak of anemoi‘s master data remains the only confirmed case of data being publicly distributed, though the broader investigation into potentially exposed personal and corporate information remains ongoing.
Source: X
