Tradeify: macaroni Leaks 240K Customer Records via Exposed API Key

A threat actor operating under the handle "macaroni" has posted what they claim is the full customer CRM of online trading platform Tradeify, releasing 240,174 customer profiles as a free, reply-gated leak on an underground forum. The incident, surfaced by Dark Web Informer on June 5, 2026, allegedly stems from an exposed Klaviyo API key that the actor states remains active. Tradeify has not publicly responded, and the records remain unverified.

What Happened

On June 5, 2026, an underground forum user identified as "macaroni" (described as an MVP-tier member of the host community) published a thread claiming to dump the complete Klaviyo CRM belonging to Tradeify, a United States based online trading platform operating in the financial services sector. The post advertises 240,174 customer profiles as a free leak, with full sample records and the credential allegedly used for exfiltration locked behind a reply gate.

According to the listing, the breach was carried out via an exposed Klaviyo API key that the actor claims is still valid at the time of posting. If accurate, this would allow continued read access to customer marketing data and potentially permit tampering with profile records until the credential is rotated. Dark Web Informer notes that both the record count and the authenticity of the data remain unconfirmed.

What Was Taken

The actor's listing enumerates the following data fields drawn from Tradeify's Klaviyo customer relationship management environment:

• 240,174 customer profile records (claimed)
• Full names
• Email addresses
• Phone numbers
• Physical addresses including city, state, ZIP code, and country
• Limited purchase history
• Account metadata and custom Klaviyo properties
• Klaviyo CRM profile data

A redacted preview screenshot accompanies the post. Sample records and the API credential referenced in the thread have not been reproduced by Dark Web Informer.

Why It Matters

A CRM dump tying full identity and contact information to a financial trading platform is among the higher-value datasets in circulation on underground forums. Victims are, by definition, individuals with investable capital and active trading accounts, an audience routinely targeted by investment fraud, account takeover, SIM-swap, and tailored phishing operations.

The dataset's combination of name, email, phone, and physical address with platform-confirmed customer status removes the guesswork from social engineering. Adversaries can credibly impersonate Tradeify support, regulators, or counterparties because they know the victim is a real customer. Free, reply-gated distribution further amplifies the blast radius: there is no paywall throttling who can collect and weaponize the data.

The claim that the exposed API key is still live is the most acute operational concern. Klaviyo keys typically scope to profile read, write, and list management; if accurate, continued access could be used to harvest fresh records, modify subscriber data, or pivot to outbound communications sent from Tradeify's legitimate marketing channels.

The Attack Technique

The actor attributes the breach to an exposed Klaviyo API key rather than an intrusion into Tradeify's core trading infrastructure. Exposure of marketing platform keys typically occurs through one of several well-documented patterns: hardcoded credentials in client-side JavaScript or mobile application bundles, leakage in public source code repositories, secrets committed to build artifacts or container images, third-party developer compromise, or overly permissive keys distributed to contractors and partners.

Klaviyo supports both public site keys (intended for client-side use and scoped to write-only subscribe operations) and private API keys (which carry broader read and management permissions). A private key inadvertently embedded in a client-facing surface or leaked through a repository would explain bulk profile extraction without any compromise of Tradeify's primary trading systems. The leak post does not specify the exposure vector, only the credential type.

What Organizations Should Do

Organizations using Klaviyo or comparable marketing CRMs should treat this incident as a prompt to validate their own credential hygiene and downstream customer protections:

1. Rotate all Klaviyo private API keys immediately and audit recent API activity logs for unusual export volumes, unfamiliar source IP addresses, or profile enumeration patterns over the past 90 days.
2. Scan public and internal code repositories including GitHub, GitLab, Bitbucket, npm packages, mobile app bundles, and container registries for leaked Klaviyo, Mailchimp, HubSpot, and other marketing platform credentials using tools such as TruffleHog, Gitleaks, or GitHub secret scanning.
3. Enforce least-privilege scoping on all marketing platform keys, restricting private keys to server-side use, and replacing any client-embedded private keys with public site keys limited to subscribe-only operations.
4. Implement IP allowlisting on Klaviyo API access where supported, and enable webhook signing verification to detect credential misuse from unfamiliar origins.
5. Notify affected customers proactively if you operate a trading or financial services platform, and prepare for an elevated wave of phishing impersonating brokerage support, KYC reverification requests, and fake withdrawal alerts targeting the leaked population.
6. Hunt for downstream abuse by monitoring fraud signals on trading accounts including unusual login geographies, password reset velocity, and credential stuffing attempts against email addresses present in known breach corpora.

Tradeify customers should treat any inbound communication referencing their account as suspect, enable hardware-backed multi-factor authentication, and review recent account activity for unauthorized actions.

Sources: Tradeify Data Breach: Hacker Claims to Leak 240K+ Customer Records