Money Forward announced on June 23, 2026, that it had completed a detailed investigation into the unauthorized access to GitHub first reported in May. The company revealed that personal information of an additional 62,901 individuals may have been exposed. No confirmed misuse of the personal information has been identified so far.
📑Table of Contents
Incident Overview
Money Forward first disclosed on May 1, 2026, that 370 corporate card records may have been exposed due to unauthorized access to GitHub. After further investigation, the company completed its detailed review on June 23 and submitted reports to the Personal Information Protection Commission and the Financial Services Agency. The affected data primarily includes names and contact information of customers, business partners, and employees. Unique identifiers were stored in a format that makes individual identification difficult when used alone.
According to the official press release, notifications have already been sent to individuals whose contact information was available. The bank account linkage feature was temporarily suspended on May 11-12, with plans to resume gradually after the investigation concluded.
Sources: Money Forward Official Press Release (June 23, 2026), ITmedia, Nikkin
Breakdown of Exposed Information
The official announcement detailed the potential data exposure as follows:
| Item | Count | Notes |
|---|---|---|
| Customer names and email addresses | 124 | |
| Business partner names and email addresses | 28 | |
| Employee (including retirees) names, emails, phone numbers, etc. | 2,300 | |
| Customer management unique identifiers | 6,449 | Up to 19 digits; management numbers only, cannot identify individuals alone |
| Total | 62,901 |
The unique identifiers consist only of management numbers and are difficult to misuse on their own. No confirmed cases of personal information misuse have been reported.
Source: Money Forward Official Press Release (June 23, 2026)
Investigation Timeline
The timeline of the incident is as follows:
- May 1, 2026: Initial report disclosing 370 corporate card records potentially exposed
- May 11-12, 2026: Temporary suspension of bank account linkage and progress update on investigation
- June 23, 2026: Completion of GitHub access review, confirmation of scale, and reporting to authorities
This completed the overall picture of the incident. The fourth official report also included an announcement of enhanced security measures.
Key Points of the Official Announcement
Money Forward published the “Completion of Detailed Investigation into GitHub Unauthorized Access and Announcement of Strengthened Security Measures” on its official website. Emphasis was placed on the fact that no confirmed misuse of personal information has occurred. Notifications have been completed for all individuals whose contact details were available.
For data consisting only of unique identifiers, the risk of misuse is considered low when used in isolation. The company states that it has implemented enhanced security measures.
Source: Money Forward Official Press Release
Impact and Response
Individuals potentially affected have been notified individually where contact information was available. When only unique identifiers are involved, misuse is difficult without combination with other personal data.
Resumption of bank account linkage is scheduled to proceed gradually after the investigation. Users are advised to review the official announcement and consider updating passwords or enabling two-factor authentication as needed.
Frequently Asked Questions (FAQ)
Strengthened Security Measures
The fourth official report mentions enhancements to access management and log monitoring systems in light of this incident. The response to the external GitHub unauthorized access factor highlights improvements to internal processes. Users are also advised to enable two-factor authentication and regularly update passwords. Detailed countermeasures can be found in the official press release.
Source: Money Forward Official Press Release
Related Articles and Context
Similar past security incidents involving cloud service unauthorized access underscore the importance of prompt detailed investigations and reporting to authorities. See internal links and official sources for further context.
Related articles:
- Unpatchable usbliter8 BootROM Exploit Hits Older iPhone and iPad — Affected Models and Risks
- BIGLOBE Security Incident: Password Leak Risk Confirmed — Change Immediately
- Lessons from a Subordinate’s “Is That Personal Property?” Loop: Why Hiding Your Intent When Asking Questions Backfires
Summary
Money Forward has confirmed that personal information of an additional 62,901 individuals may have been exposed in the GitHub unauthorized access incident. No misuse has been confirmed, and notifications have been completed for individuals with available contact information. Users should review the official announcement and strengthen their security measures. For full details, please refer to the official press release.
Sources: Money Forward Official Press Release, ITmedia, Nikkin
Author
krona23
Over 20 years in the IT industry, serving as Division Head and CTO at multiple companies running large-scale web services in Japan. Experienced across Windows, iOS, Android, and web development. Currently focused on AI-native transformation. At DevGENT, sharing practical guides on AI code editors, automation tools, and LLMs in three languages.
Leave a Reply