Money Forward: ~62,901 records may have leaked — personal data left on GitHub

Money Forward, known for the household-budget app "Money Forward ME" and the accounting software "Money Forward Cloud," announced on June 23, 2026 that the personal data of up to 62,901 people may have leaked. It is the confirmed scope of the unauthorized access to the source-code management service "GitHub" that the company first disclosed on May 1; the investigation is now complete.

But the most important thing here is not the number — it is "what was breached, and what was protected." The attacker did not get into the production systems that hold users' household-budget or accounting data. They got into the place where source code is stored for development (a GitHub repository). There was no intrusion into the production database, and no secondary harm such as money moving or budgets being viewed has been confirmed. Personal data still leaked because information that should never have been there was, by mistake, stored alongside the source code.

"The front door and the safe were well guarded, but copies of important documents were left in the storage shed by the back door." That, in one line, is the shape of this incident. This article organizes, from primary sources, what leaked and how much, and what kind of hole was exploited — then digs into what development teams should do to avoid the same mistake. We will keep adding follow-ups on Money Forward to this article.

What may have leaked, and how much

The "personal data that may have leaked," finalized with the June 23 completion of the investigation, totals 62,901 people. Most of it is the management number used internally to distinguish users — separate from the ID and password used to log in. The breakdown is as follows.

By count, the management numbers (60,449) dominate, but these are described as internal numbers that cannot identify an individual on their own. The 2,300 employee records, on the other hand, include names, emails, and phone numbers — heavier in content. For the Business Card, the full card number, expiry date, and security code are not included — only the cardholder name (in Latin letters) and the last four digits. In other words, this is not the kind of leak where cards get abused immediately.

What was exploited was not a "software flaw" but the "development process"

The question on everyone's mind is "what vulnerability was exploited?" The short answer: this was not the kind of software flaw you usually hear about (the sort that gets a CVE number). What was exploited was a gap in people and process. Let's go in order.

(1) The entry point: GitHub credentials leaked

It started with the leak of the GitHub credentials (the keys to log in) that Money Forward used for software development. A third party abused those keys to get into the repositories (where source code is stored) and copied the contents. GitHub is the source-code management service used by developers worldwide, where a company's canonical code gathers. If its keys get out, the code is carried off with them.

(2) What widened the damage: personal data mixed into the source code

Had only the keys leaked and the code been copied, the damage would have stopped at "source-code leak." But files containing personal data that should never have been there were, outside the proper procedures, stored on GitHub by mistake. Money Forward itself explained in May why personal data had ended up on GitHub. That mixing is what turned a "source-code leak" into a "personal-data leak."

(3) A line that could have been held: a free detection feature was not used

Security-minded engineers have pointed out that GitHub's free "Secret Scanning" — which automatically watches for keys and passwords accidentally mixed into code — was not enabled. Had basics like always anonymizing/masking test data and excluding sensitive files from the start with .gitignore been enforced, the mixing itself might have been prevented. This was not a flashy zero-day; it was the plain, most common accident of "carelessly putting secrets and PII into source control."

We have seen the same shape repeatedly on this site. Awa Bank leaking 27,000 records from a neglected test environment is exactly the case of "customer data placed on the dev/test side, outside the guard." The Cloud Foundry private-key exposure and the leak of 510,000 lines of Claude Code source are continuous with it too, in that how you manage code and keys directly sets the size of the damage.

Why did data leak even though "production was safe"?

From here on is the author's view, grounded in the facts. The most telling thing about this incident is the structure where the center of gravity of defense leaned toward production, and the development environment was thin.

Most companies guard the production system that holds user data most strictly — firewalls, multi-factor authentication, monitoring — because it ties directly to money and personal data. Money Forward held that line too, and no intrusion into the production database occurred. But what the attacker chose was not the safe out front; it was the "back" of development. The place where source code lives is often watched less strictly than production, and if personal data is mixed in there, the data can be carried off without touching production at all.

In construction there is a phrase, "the pipes above the ceiling" — the part no one usually sees, invisible from the front. Precisely because it is invisible, cutting corners there causes a leak ten years later. Source-code management in software development is exactly this ceiling void. Beyond polishing the "front" of production, do you grasp what runs through the "back" of development? This incident presses that single point on many companies. All the more so for a company like Money Forward, which holds everything from household budgets to corporate accounting — the back side must be maintained with the same weight as production.

Timeline so far

Here is the flow from the first disclosure on May 1 to the scope confirmation on June 23. You can swipe the cards left and right.

← swipe to move

What is known, and what is not yet

What Money Forward users should do now

First, it is fine to take this calmly. The production database was not breached, and this is not an announcement that household-budget data, bank accounts, or login passwords were stolen. Still, a few precautions are worth taking.

What development teams can learn — closing the same hole

At its core, this is the accident of "secrets and PII (personally identifiable information) carelessly slipping into source-code management." It is not one company's story; it can happen at any organization that builds software. Here are the most effective countermeasures, in priority order.

Keeping a way to continuously surface risks around dependencies and source-code management helps you spot these "back of development" holes quickly. We have organized a way to check the OSS supply chain on this site as well. In the sense of a breach via GitHub or an outside party, this shares ground with Crunchyroll's 6.8-million leak via an outsourcing partner and KDDI's up-to-14.22-million email leak — a weakness outside the main keep is what gets hit.

Frequently asked questions

Money Forward incident timeline

This article continuously tracks security and service incidents related to Money Forward. As new developments arise, we will add them here.

References

• ・Money Forward - Notice and apology on unauthorized access to GitHub (first report)
• ・Money Forward - Investigation progress and path to resuming bank-account linkage (second report)
• ・ITmedia NEWS - About 63,000 records may have leaked; scope set as investigation completes
• ・ITmedia NEWS - Money Forward explains why personal data was on GitHub
• ・INTERNET Watch - New possible leak of customer/employee data confirmed; investigation complete
• ・Jiji Press (Yahoo! News) - Money Forward, about 63,000 people's data leaked
• ・Money Forward ME Support - Suspension and staged resumption of bank-account linkage