CoinTracker Third-party security incident (Mixpanel)

15•dotmanish•2mo ago

(Received as on 26 Nov 2025)

We’re reaching out to let you know about a security event involving one of CoinTracker’s third-party service providers, Mixpanel. We want to be transparent about what happened, what information was involved, and what we’re doing in response.

To be clear: CoinTracker’s systems were not compromised, and no access was gained to our internal infrastructure. What happened

On November 21, 2025, Mixpanel — a data analytics provider used by CoinTracker and many other software companies — provided details of a security incident that occurred within their environment.

Mixpanel’s security team found that an attacker had gained access to their systems through an SMS phishing attack (”smishing”). Using elevated permissions, the attacker exported certain datasets containing CoinTracker user information. Mixpanel stopped the unauthorized activity and initiated an investigation.

CoinTracker systems were not affected. What information was involved

The data involved is limited to profile data, which includes: Email address Geographic location (derived from IP address: city, region, country) Device metadata (e.g., screen size, Android version, mobile carrier) Limited transaction summaries (e.g., 2022 total transaction count) User preferences or attributes (e.g., “is accountant”)

No CoinTracker account logins or specific transaction/wallet data were exposed. What information was NOT involved

Wallet addresses Recovery phrases Private keys (CoinTracker never collects this data) CoinTracker passwords or login credentials Tax forms Exchange-connected transaction data Bank account or credit card information Social Security numbers or other government-issued IDs

CoinTracker’s systems were not compromised. The breach occurred solely within Mixpanel’s environment. Important safety tips

Be alert for any suspicious or unexpected emails. Avoid clicking on links or downloading attachments from unknown sources. If you use CoinTracker, enable multi-factor authentication (MFA) to further protect your account. What we’re doing

We have stopped sending email addresses to Mixpanel and are auditing all tools that handle user data. We’ve also opted into Mixpanel’s third-party review and monitoring process to confirm what was accessed and ensure it does not appear on the dark web.

Protecting your data is our priority. If you have questions or concerns, please don’t hesitate to reach out to our team at support@cointracker.com

The CoinTracker Team

Comments

dario101•2mo ago

I'm beyond pissed about this. Why were they sending PII to mixpanel in the first place? Amateur hour big time.

someone1998•2mo ago

So true! I made a hacker news account to specifically say this ! Mixpanel is being used as a frontend analytics tool, sharing PIIs with them is so incomprehensible!

dilek•2mo ago

https://openai.com/index/mixpanel-incident/

openai is impacted too

ChrisArchitect•2mo ago

Mixpanel notice: https://mixpanel.com/blog/sms-security-incident/ (https://news.ycombinator.com/item?id=46066522)

Scientists reverse Alzheimer's in mice and restore memory (2025)

Compiling Prolog to Forth [pdf]

Show HN: Cymatica – an experimental, meditative audiovisual app

GitBlack: Tracing America's Foundation

Horizon-LM: A RAM-Centric Architecture for LLM Training

We just ordered shawarma and fries from Cursor [video]

Correctio

Trying to make an Automated Ecologist: A first pass through the Biotime dataset

Watch Ukraine's Minigun-Firing, Drone-Hunting Turboprop in Action

Free Trial: AI Interviewer

FDA Intends to Take Action Against Non-FDA-Approved GLP-1 Drugs

Supernote e-ink devices for writing like paper

We are QA Engineers now

Show HN: Measuring how AI agent teams improve issue resolution on SWE-Verified

Adversarial Reasoning: Multiagent World Models for Closing the Simulation Gap

Show HN: Poddley.com – Follow people, not podcasts

Layoffs Surge 118% in January – The Highest Since 2009

Papyrus 114: Homer's Iliad

DicePit – Real-time multiplayer Knucklebones in the browser

Turn-Based Structural Triggers: Prompt-Free Backdoors in Multi-Turn LLMs

Show HN: AI Agent Tool That Keeps You in the Loop

Why Every R Package Wrapping External Tools Needs a Sitrep() Function

Achieving Ultra-Fast AI Chat Widgets

Show HN: Runtime Fence – Kill switch for AI agents

Researchers surprised by the brain benefits of cannabis usage in adults over 40

Peter Thiel warns the Antichrist, apocalypse linked to the 'end of modernity'

USS Preble Used Helios Laser to Zap Four Drones in Expanding Testing

Show HN: Animated beach scene, made with CSS

An update on unredacting select Epstein files – DBC12.pdf liberated

Was going to share my work