Skip to content

Customer.io API Key

Service Name: Customer.io

Service Description: Customer.io is a customer engagement platform that enables businesses to send targeted messages across multiple channels including email, SMS, push notifications, and more based on customer behavior and data.

Service Address: https://customer.io/

Validation Type: API Auth

IP Allow list: IP restrictions can be configured at the account level through workspace settings.

Secret Access Scope: Grants programmatic access to Customer.io's API, allowing management of campaigns, segments, newsletters, and customer data.

Secret Revokement URL: https://customer.io/docs/managing-api-credentials/

Secret Example: skey_123abc456def789ghi0jkl

Suspicious Activity Investigation Instructions:

  • Review the activity logs in Customer.io to identify any unusual campaign creations or modifications
  • Check for unexpected changes to customer segments or data
  • Monitor for unusual API calls or high volumes of message sends
  • Verify if any new team members or API credentials were recently added
  • Examine any changes to tracking or integration settings

Mitigation Instructions:

  • Log in to your Customer.io account and navigate to Settings > API Credentials
  • Locate the compromised API key and click "Revoke"
  • Create a new API key with appropriate permissions

  • Update the API key in all legitimate applications and services

  • Review and update security settings, including IP restrictions if available
  • Audit all campaigns, segments, and automations for unauthorized changes
  • Consider enabling two-factor authentication for all team members
  • Review team member access and remove any unnecessary permissions