Last Updated: February 15, 2023
During a very short period of time on July 20th, 2021, an unknown third party attempted to register thousands of CoinTracker accounts in rapid succession. We detected this automated activity within minutes and blocked it from continuing further.
What do I need to do now?
If you don't want to use CoinTracker, you don't have to do anything! The account that the third party attempted to register on your behalf has already been deleted.
Was my data exposed?
No. At no point was anyone's data exposed, nor was it ever in danger of being exposed.
Out of an abundance of caution, we have deleted all the accounts created during the brief period of time when the automated activity occurred. We are retaining the email addresses used by the third party only long enough to notify those users affected, and then we will be purging the email addresses from our systems.
We are aware that some legitimate users registered accounts while the automated activity was occurring. Unfortunately, a few of those accounts will also be deleted by this purge. We're sorry if you're one of these affected users! If that is you, please create a new account and reach out to our support team. We will credit your new account $25 towards your first tax plan purchase as a way of thanking you for your patience.
How did this third party get my email address?
The vast majority of the email addresses used during this automated attempt to create accounts were not already associated with CoinTracker users. We are a privacy-conscious company and we don't keep any lists of emails addresses for non-users. This confirms that we were not the source of this data.
How can I prevent this from happening in the future?
If you received an unexpected email saying someone attempted to register an account on your behalf at CoinTracker or any other online service, your email address may have been included in publicly available breach data. Trusted third-party tools like Have I Been Pwned? are a useful resource for finding out if your email address has been seen in breach data, and in which data breaches it may have been seen.
In general, especially if your email address has appeared in breach data, you'll want to follow security best practices like changing your existing passwords, never reusing passwords, and using non-SMS Two Factor Authentication on any account that supports it. Password managers like 1Password are essential tools that should be utilized to ensure you're using unique and secure passwords.