Koinly Warning: Third-Party Breach Exposes User Emails – Is Your Tax Data Safe?

Koinly, a popular cryptocurrency tax optimization software application, has warned users of a possible data breach of email addresses in the aftermath of a security breach by a third-party service provider.

The company reported that the problem was not through its systems, and it insisted that sensitive financial and tax-related information is safe.

Koinly, in an email to the customers, claimed that the incident was based on Mixpanel, an analytics service it had been using to understand how the products were being used and ways of enhancing user experience.

What Was Exposed—and What Wasn’t: Koinly Addresses Third-Party Breach Fallout

Third-party breaches are a type of attack in which the attackers target vendors or service providers who have access to user information, and in most cases, they are using less secure security controls to indirectly gain access to information.

These attacks are prevalent in both crypto and non-crypto industries.

In these instances, Koinly said that Mixpanel had announced in November that one of its hackers had accessed some user accounts of Mixpanel and data belonging to these accounts.

Information disclosed could have contained names, email addresses, rough position details like city or country, and device data like the operating system and version of a browser.

Koinly reported that, according to its internal inquiries, it did not share any wallet information, transaction history, tax filings, or portfolio data with Mixpanel.

The company also stated that its main systems were not compromised, and it did not leave people with access to user accounts and financial records stored in Koinly.

Since then, it stopped using Mixpanel and initiated a larger exercise of auditing other third-party tools that process user information.

The company has failed to provide the number of users that could have been impacted and a specific timeframe in which the data exposure took place. It claimed that it is still in the process of collaborating with Mixpanel in order to know the extent of the incident.

Although Koinly asserted that it had no evidence that the information revealed had been abused, it gave a warning that users should be wary of potential exploitation by phishing.

The company also suggested that they confirm that any message that claims to be from Koinly originates from its official domain.

As Crypto Theft Hits $3.4B, Third-Party Vulnerabilities Come Into Focus

Koinly has a user base of over 1.5 million in the world, and it is active in over 20 countries.

The platform automatically imports transaction data from more than 900 exchanges, wallets, and blockchains and classifies the transactions, determines the gains and losses, and produces tax filings for tax authorities.

The size and reach of it ensure that even a small data exposure can concern the users who use it to store sensitive financial data.

The recent attacks in the crypto market and the technological industry in general demonstrate how harmful third-party hacks can be.

In September, Swiss crypto platform SwissBorg lost over $41 million of Solana tokens because attackers hacked an API provider of one of its partners’ services.

In October, Discord affirmed that they had unauthorized access to their third-party Zendesk system of support following their announcement that hackers had stolen millions of government ID pictures.

DeFi protocol Abracadabra also experienced numerous exploits this year because of code-level vulnerabilities, pointing out the scope of vulnerabilities to attacks on infrastructure.

Chainalysis industry data reveal that thefts involving crypto reached more than 3.4 billion US dollars in 2025, and the losses are growing more and more concentrated in a few more extreme cases.