OpenSea, the largest non-fungible token (NFT) marketplace by trading volume, has suffered a data breach after an employee at the platform’s email delivery partner – Customer.io – leaked user data. In a blog post on Thursday, the marketplace said that an employee of Customer.io “misused their employee access to download and share email addresses – provided by OpenSea users and subscribers to our newsletter – with an unauthorised external party.” According to OpenSea, all customers who have shared their email with the platform in the past should assume they have been impacted by the breach.
In a blog post, OpenSea’s head of security Cory Hardman said that an employee of Customer.io, OpenSea’s email delivery vendor, abused their access by downloading and externally sharing customer data.
If we believe your email address was impacted, you’ll receive an email from the domain ‘https://t.co/3qvMZjxmDB.’
Please stay cautious. Malicious actors may use this information to impersonate OpenSea in email phishing attempts.
A few important email safety recommendations:
— OpenSea (@opensea) June 30, 2022
“If you have shared your email with OpenSea in the past, you should assume you were impacted,” he wrote. “We are working with Customer.io in their ongoing investigation, and we have reported this incident to law enforcement.”
The company further warned customers might face phishing attacks — attempts by cybercriminals posing as credible institutions with the aim to obtain sensitive information — by using a domain name similar to the official “opensea.io,” such as “opensea.org” or “opensae.io.”
Hardman also shared a set of safety recommendations that would help defend against phishing attempts advising them to be suspicious of any emails trying to impersonate OpenSea, not to download and open email attachments, and to check the URLs of pages linked in OpenSea emails.
Users are also urged never to share or confirm their passwords or secret wallet phrases and never to sign wallet transactions if prompted directly via email.
Some customers took to Twitter to share screenshots showing that OpenSea contacted them by email to inform them about the breach.
A similar incident occurred in March, when hackers breached third-party marketing vendor HubSpot to target large crypto stakeholders. NYDIG, Pantera Capital, BlockFi, Circle and Swan Bitcoin were among the affected companies.