Koinly Reports Email Data Leak After Third-Party Vendor Breach - Your Crypto Tax Data Exposed

Another day, another data breach—this time hitting crypto tax software users right before the holiday season.

The Security Hole

Koinly, the popular cryptocurrency tax reporting platform, just confirmed a third-party vendor breach exposed customer email addresses. The company's automated email system provider got compromised, leaking contact details of users who'd rather keep their crypto holdings private. No financial data or passwords were accessed—just the digital equivalent of someone rifling through your mailbox.

The Vendor Problem

This isn't Koinly's first security rodeo. The platform previously suffered a breach in 2023 when hackers exploited a zero-day vulnerability. Now it's their vendors causing headaches. The crypto industry's reliance on third-party services creates a chain of vulnerabilities—break one link, and everyone's data dances in the wind.

User Fallout

Exposed email addresses mean one thing: targeted phishing attacks. Expect sophisticated 'tax season' scams promising refunds or threatening audits. Crypto users already juggling private keys and DeFi protocols now add 'identify fake Koinly emails' to their security checklist. Because nothing says 'holiday cheer' like potential identity theft.

The Bigger Picture

Data breaches have become crypto's recurring subscription fee—you pay with your privacy quarterly. While traditional finance gets FDIC insurance, crypto gets 'sorry, our vendor messed up' emails. The industry keeps building decentralized futures while relying on centralized email providers who can't keep their servers locked.

Stay sharp out there. Your crypto portfolio might be decentralized, but your email inbox is everyone's attack surface.

Supply chain vulnerabilities

This incident reflects a broader pattern of supply chain vulnerability affecting Mixpanel, which was allegedly targeted in early November 2025 as part of a “smishing” (SMS phishing) attack aimed at an individual subcontractor. Other large services, such as OpenAI and CoinTracker, also suffered similar levels of customer metadata exposure as a consequence of the same third-party vulnerability.

Such incidents have been increasingly prevalent within the fintech and cryptocurrency space, as attackers seek to target secondary service providers for the purposes of harvesting user lists for future exploitation.

Broader ecosystem risks

A similar risk was seen in the October breach of PancakeSwap’s X account, where hackers exploited their social media platform to circulate malicious links. The incident highlighted how even established decentralized finance (DeFi) entities can be compromised through external service vulnerabilities.

In response to this recurring pattern of data exposure, companies like Tether have begun introducing decentralized alternatives, such as their recently launched peer-to-peer password manager.

Despite the fact that the Core financial storage and portfolio of users had not been shared with Mixpanel and was safe, the exposure of the email list seems a case of neglect for users’ personal details. Though the company continues with investigations and joint efforts with suppliers, this case again puts the importance of multi-factor authorization and general alertness online beyond doubt.

Also Read: South Korea Closes Regulatory Gaps After Upbit Breach