What happens if my email was compromised in the Customer.io data leak?

We recently learned our mailing list vendor – Customer.io – shared email addresses with an unauthorized third party. This means that if you signed up for an Exodus email list, it is likely your email address was impacted.

In this article:

Protect yourself from phishing attempts

Customers whose email addresses were exposed can expect increased phishing attempts against their email account.

Phishing is a fraudulent method of impersonating people or companies to convince you to reveal personal information. In a sense, the thieves are “fishing” for your information hoping you will bite - don’t do it!

Here are a few ways to protect yourself against phishing attempts:

  • Turn on your spam filters!
  • Never click unfamiliar links or download unfamiliar attachments
  • Do not share your private keys or 12-word secret recovery phrase with anyone, in any situation!

If you receive an email communication that looks like it's from Exodus but doesn't come from @exodus.com or @exodus.io please be careful as it may contain malware or be a phishing attempt. 

Exodus will NEVER ask for sensitive information, including passwords, 12-word phrases or private keys.

Quick tips to keep your email account safe

  • Change the password on all of your email accounts and ensure you are using a strong, unique password
  • Ensure two-factor authentication (2FA) is set up
  • Check your email addresses at https://haveibeenpwned.com to determine which, if any, other data breaches your email has been involved in

We’re standing by to support you! If you receive phishing attempts or strange requests being sent to your email address, you can report the incident to our team at [email protected].

How using Exodus keeps your crypto safe

A self-custodial wallet like Exodus gives you 100% control over your funds, because the private keys that control access to your funds are encrypted locally on your device. This also means that Exodus can never touch or move (or even see) any of your digital assets. Your keys – your cheese.

The beauty of self-custody with Exodus is that unless you choose to share information with us, we don’t have access to any personal information of any kind. You are always in control of your assets and your personal security and safety. Learn more about how you can improve your security profile here.

We’re here to help and support you. You can send us your questions or share your concerns by sending us an email at [email protected].

You are an important and valued member of our Exodus community. Thank you for your continued support.


Q: What did you use Customer.io for specifically?

Customer.io is our mailing list vendor. They store email addresses for those who have signed up for our newsletter.

The only information they had was email addresses and possibly your first name if you included it.

Q: Did they have any data besides my email address?

No, the only information that was disclosed was your email address and possibly your first name.

Q: Should I be concerned about the security of my Exodus wallet now?

Remember, you hold the keys to your crypto with Exodus. We’re a self-custodial solution, so your information is encrypted locally on your device.

As such, Exodus cannot and does not have access to your private keys,12 word phrase, or password used to unlock your wallet, making a breach of that data via Exodus virtually impossible.

Follow these general security tips from the Exodus Knowledge Base: List of security practices

Q: What kind of due diligence process do you go through as a company when bringing on vendors?

Depending on the type of data being stored with a third party, the Exodus security team will open communications with the vendor, and will request industry certifications and/or reports, including pentests if available, for review, and further clarity on pertinent items as needed.

Our Red Team will scan their APIs, both externally and internally (if permission is granted, through a standard account), looking for vulnerabilities to report.

Exodus will also use industry security report-card scoring to get a high-level overview of the vendor’s security posture – including data breaches – and will report any high or critical findings for remediation.

Depending on the vendor’s record of: patching vulnerabilities, how quickly security patches are applied, their security report card scoring, any data breach history, and other related factors, a decision is made by the security team. We decide whether the vendor should be used, and if so, what data is permissible to share with the vendor.

Q: What should I do if I receive a phishing email / attack of some kind?

  1. Help keep our community safe. Please share details related to the incident with Exodus Support.
  2. Mark the message as Spam. This will report the email and will help stop similar messages from reaching your inbox.
  3. Ensure that passwords are not stored in text files on your computer, use a password manager, and frequently rotate your passwords for all sensitive accounts (email, banking, cryptocurrency websites).
Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.