CoinDCX says some user data exposed in breach at third party; funds safe

Indian crypto exchange says breach was at its US-based analytics vendor Mixpanel

Indian crypto exchange CoinDCX said on Friday some of its user data was exposed due to a security breach at Mixpanel, a third-party service provider.

 

CoinDCX told users in an email the breach did not affect its infrastructure and that their funds were safe. Mixpanel, which provides data analytics services to CoinDCX, suffered a security breach on November 8.

 

A person aware of the development stated that data such as users’ names and the duration of their use at the platform, were likely to have been breached. 

 

The US-based company told CoinDCX on November 25 that some of its data was accessed after the “security incident”.

 

 

“They (Mixpanel) confirmed that some of our CoinDCX users’ data was accessed. The security incident didn’t target CoinDCX specifically and included the broader customer base of Mixpanel. Mixpanel has no access to CoinDCX infrastructure or users’ funds,” CoinDCX told users in an email communication.

 

Business Standard has reviewed a copy of CoinDCX’s email to users. 

 

“This incident was entirely confined to Mixpanel’s systems and had no impact on CoinDCX infrastructure, wallets, or user funds. No sensitive information—such as passwords, OTPs, seed phrases, or critical KYC data was accessed,” CoinDCX said in response to the newspaper’s queries. 

 

The company did not comment on the number of users affected. 

 

It has a registered user base of more than 20 million customers. 

 

The company has informed users that it has collaborated with its service provider to confirm the containment of the breach.

 

It has initiated a full review of Mixpanel’s security posture, data minimisation, and its internal vendor risk processes.

 

It has cautioned users to stay alert to unsolicited calls, messages or phishing emails, including requests for OTP (one-time password), passwords, PINs, bank details, and links to social media groups impersonating official company communication.

 

“CoinDCX will never: Ask for your password, OTP, or 2FA (Two factor authentication), never ask you to share your wallet seed phrase nor ask you to install remote access apps,” it added.

 

The breach at a third-party vendor affecting the company’s users comes months after an alleged security breach led to the loss of $44 million.

 

This incident too, which happened in July, did not affect customer funds on the platform. 

Sumit Gupta, cofounder and chief executive officer of CoinDCX, had then said the company was set to absorb the lost amount.