Elain Brown Tech 07.01.2022 01:Jul AM EDT

OpenSea Data Breach: Users’ Email Addresses Have Been Leaked

OpenSea confirms their system's data breach through a third-party vendor, Customer.io.

Customer.io is the email vendor that the NFT platform works with in order to deliver their newsletter and email services.

OpenSea sent out a public notice to alert its users regarding an employee on Customer.io that misused their employee access to download and share the email addresses that OpenSea provided with an unauthorized third party.

OpenSea Data Breach

OpenSea's Head of Security, Cory Hardman, stated that the recent breach affects any account holder and emails that are subscribed to the platform's newsletter.

The NFT company warns that if users have shared their email with OpenSea in the past, they should assume that they are impacted by this breach.

Although it is reported by Engadget that compromised passwords and other personal information were not breached as of the moment.

The company stated in their blog post that they have reported the incident and are currently working in cooperation with law enforcement agencies on their ongoing investigation.

OpenSea encourages its customers to be vigilant with their email practices and be on the lookout for any suspicious email that claims to be from the platform.

The organization warned OpenSea customers who they felt were implicated to be on the alert for phishing emails and other types of scams by sending them emails to their accounts.

No information on the third party who obtained access to the compromised email accounts has been disclosed as of yet.

As reported by Engadget, a representative of Customer.io stated that the person who was responsible for the data leak had "role-specific" access to the OpenSea data that was misused.

Although the company does not believe that the data of any additional customers has been stolen or compromised, an investigation is still ongoing.

The employee in question has had all of their privileges stripped away, and they have been placed on administrative leave until the outcome of their investigation.

OpenSea NFT Phishing

Last February, OpenSea users were threatened by a massive phishing attack.

At first, it was thought that the attack was associated with a smart contract to which users of OpenSea had been transitioning their NFTs over the course of the preceding few months.

On the contrary, OpenSea provided evidence suggesting that the attack was most likely an attempt at phishing.

The malicious threat actors behind the attack were able to compromise $1.7 million worth of ETH.

The actors were also able to get themselves 250 high-valued NFT collections, such as Doodles, Bored Ape Yacht Club, and Azuki.

OpenSea Recommends

OpenSea recommends a few steps for users to take in order not to fall victim to these types of cyberattacks.

First, the company urged its users to be wary of email addresses trying to impersonate OpenSea. They clarified that they will only be sending emails through their official domain, "opensea.io."
Secondly, they also instructed users not to download anything from the email, assuring that the real OpenSea email would not include any attachments or any requests to download anything.
Third, the company strongly informs users to not sign any wallet transactions via email. This might be a scam or a phishing attempt. Signing a wallet transaction that is triggered directly from an email should NEVER be done.
Fourth, the company also warns its customers to never share their login details, especially their passwords or secret wallet phrases.
Lastly, the company reminds its consumers to examine the URL of each and every page that is linked in an OpenSea email. Only URLs starting with 'email.opensea.io' will have hyperlinks included by us. Make sure that the domain name "opensea.io" is spelled correctly.