CAMPFIRE's data breach (up to 225k) — what backers should do now
What happened
In April 2026, CAMPFIRE disclosed a cyberattack that began with unauthorized access to an external-service (GitHub) account. It detected suspicious activity on GitHub repositories in the early morning of April 3, and after investigation found that up to 225,846 unique records may have been exposed. The company issued a first notice on April 24 and an outside-expert investigation result on June 2.
What may — and may not — be exposed
- Potentially in scope: names, addresses, phone numbers, email addresses and bank-account information. This reportedly includes project-runner data from Feb 2021 onward (~120,929 records) and backer data for those who used PayPal, pay-later or bank refunds (~130,155 records).
- Out of scope: credit-card information is not included.
- Exfiltration: the forensic investigation found “no evidence that files containing personal data were transferred externally.” It remains at the “possible exposure” stage.
What backers and runners should do
- Treat CAMPFIRE's official notices as the primary source (below) — check whether you're affected and whether you got individual contact.
- Stop reusing passwords — if you used the same password elsewhere, change it.
- Be wary of suspicious email/SMS/calls — exposed details can fuel impersonation; even if a message claims to be CAMPFIRE, reach links via the official site.
- Watch your accounts — if you're a runner whose bank details are in scope, monitor transactions.
- CAMPFIRE has opened a dedicated desk (0120-188-070, 10:00–19:00).
Editor's note
Crowdfunding concentrates both money and personal data, and the larger the platform (CAMPFIRE: ¥100B funded, 5.1M members), the more attractive a target. This isn't a verdict that CAMPFIRE uniquely failed — it's a reminder that a breach can happen on any platform, so make self-defence (password hygiene, wariness of suspicious contact) a habit. Always confirm the latest status officially. This is a 2026 incident and details may be updated.