Key Highlights
- Koinly reported a potential leak of user email addresses following a security breach at its analytics partner, Mixpanel.
- The company confirmed that no sensitive financial information was involved.
- Users are advised to remain alert for targeted phishing attempts that may arise from the exposure of their contact information.
Crypto tax software firm Koinly informed users today that their email address information may have been leaked due to a security breach at a third-party analytics platform, Mixpanel. The breach occurred as a result of unauthorized access to a dataset stored in the Mixpanel system, which hosted the email address details for a portion of Koinly users. The company said that only email address details were exposed.
Koinly swiftly addressed privacy concerns by clearly outlining the limits of their data handling to alleviate customer concerns. In a statement, the company stated, “We do not share any wallet, transaction, tax, and portfolio data with Mixpanel.” This indicates that though the email address may have been hacked, the sensitive financial information central to their service has not been accessed.
Supply chain vulnerabilities
This incident reflects a broader pattern of supply chain vulnerability affecting Mixpanel, which was allegedly targeted in early November 2025 as part of a “smishing” (SMS phishing) attack aimed at an individual subcontractor. Other large services, such as OpenAI and CoinTracker, also suffered similar levels of customer metadata exposure as a consequence of the same third-party vulnerability.
Such incidents have been increasingly prevalent within the fintech and cryptocurrency space, as attackers seek to target secondary service providers for the purposes of harvesting user lists for future exploitation.
Broader ecosystem risks
A similar risk was seen in the October breach of PancakeSwap’s X account, where hackers exploited their social media platform to circulate malicious links. The incident highlighted how even established decentralized finance (DeFi) entities can be compromised through external service vulnerabilities.
In response to this recurring pattern of data exposure, companies like Tether have begun introducing decentralized alternatives, such as their recently launched peer-to-peer password manager.
Despite the fact that the core financial storage and portfolio of users had not been shared with Mixpanel and was safe, the exposure of the email list seems a case of neglect for users’ personal details. Though the company continues with investigations and joint efforts with suppliers, this case again puts the importance of multi-factor authorization and general alertness online beyond doubt.
Also Read: South Korea Closes Regulatory Gaps After Upbit Breach
