Skip to content

Customer.io Track API Key

Service Name: Customer.io

Service Description: Customer.io is a marketing automation platform that enables businesses to send targeted messages to their customers across multiple channels including email, SMS, push notifications, and more based on how they interact with your business.

Service Address: https://customer.io/

Validation Type: API Auth

IP Allow list: IP restrictions can be configured at the account level through workspace security settings.

Secret Access Scope: Track API Keys grant access to send data to Customer.io, allowing applications to identify users and track their behavior. These keys have limited permissions focused on tracking events and user properties.

Secret Revokement URL: https://customer.io/docs/api/#section/Authentication/Managing-API-Keys

Secret Example: track_1234567890abcdef1234567890abcdef

Suspicious Activity Investigation Instructions:

  • Review the activity logs in Customer.io to identify any unusual data ingestion patterns
  • Check for unexpected user profiles or events being created in your Customer.io workspace
  • Monitor for unusual spikes in API calls or data volume
  • Examine your application logs for unauthorized API calls using the Track API key
  • Verify if the key has been exposed in public repositories or code

Mitigation Instructions:

  • Log into your Customer.io account and navigate to Settings > API Credentials
  • Locate the compromised Track API key and click "Revoke"
  • Generate a new Track API key to replace the compromised one
  • Update the API key in all legitimate applications and services
  • Implement proper secret management practices such as environment variables or secret managers
  • Consider implementing IP restrictions for API access if available
  • Review and update your security policies regarding API key management
  • Monitor for any continued unauthorized access attempts