A leak of information on the NFT OpenSea marketplace could leave customers vulnerable to phishing attacks.
Unauthorized disclosure of email addresses by third-party employees could lead to phishing scams against affected individuals.
OpenSea, a major NFT, warned of a data breach that leaked the email addresses of newsletter users and subscribers. In a statement released Jan. 2, OpenSea noted that anyone who has shared their email address with the company in the past should consider themselves affected by the breach.
The breach
The breach was caused by an employee of OpenSea’s email provider, Customer.io. According to the notice, an anonymous employee allegedly abused access rights to download the email addresses of OpenSea users and newsletter subscribers and shared them with unauthorized external parties. OpenSea is working with Customer.io to investigate this incident and is also cooperating with law enforcement in We are working with them. You have stated that you have reported the problem.
With a current valuation of $13.3 billion, OpenSea is the largest marketplace for NFT (non-fungible tokens) trading. NFTs, which are purchased with cryptocurrency, are digital objects linked to a blockchain that records ownership and other information. NFTs are the newest commodity in the cyber world and are piquing the interest of many collectors because they are unique and tradable. However, some argue that NFTs are highly speculative and not suitable for long-term investment.
OpenSea hasn’t disclosed the number of people or email addresses compromised, but it’s likely to be around two million. Data collected by cryptocurrency website Dune Analytics indicates that more than 1.8 million users made at least one purchase on OpenSea through the Ethereum network.
How did the OpenSea breach come about?
Although it is still unclear why a Customer.io employee revealed his email address to the outside world, some experts believe the incident was not an accident.
Considering that this person has exclusive access to the OpenSea account in Customer.io, this mass dump of emails was probably not authorized and secondly, this person may have done it intentionally and in bad faith,” Karl said. Steinkamp, director of security consultancy Coalfire.” As the case progresses, we will investigate whether there were external payments or threats for this particular access that served as a means of impersonating or stealing people’s NFTs.
Stephen Banda, director of security solutions at security services provider Lookout, agrees with Steinkamp’s summary.
“As for the OpenSea data breach,” says Banda, “it seems to be economically motivated. There is a lucrative market for stolen information and credentials. In this case, the email addresses of two million customers from the world’s largest NFT marketplace would be very attractive to malicious actors looking to launch a large-scale phishing attack.” He explained.
What to do if you are affected by a data breach?
Those affected by the email address breach should be prepared for an increase in phishing scams. OpenSea has also provided the following tips to those affected by this data breach.
Beware of phishing emails from addresses that impersonate opensensea.
Only emails sent from opensensea.io are legitimate. Beware of emails with variations of this name.
Never download email attachments from OpenSea.
Legitimate OpenSea emails do not contain attachments or file download requests.
Check the URL of the linked page in the OpenSea email.
Links in legitimate OpenSea emails are resolved in email.opensensea.io. Check that the link is opensea.io spelled correctly.
Don’t share passwords or wallet passphrases.
OpenSea will not share or seek confirmation of such confidential information.
Do not sign wallet transactions directly from your email.
OpenSea emails do not contain links directly asking you to sign wallet transactions. Do not sign any transactions that are not listed https://opensea.io as the source, especially those you have received via email.
Ryan McCurdy, vice president of marketing at digital risk firm Bolster, said: “Users also need to be very careful about phishing on social media.” The cryptocurrency and NFT communities are very active on social media channels like Telegram and Discord. On both channels, scammers have created groups that impersonate most of these brands. If someone sends you a link to join one of these communities, always make sure it’s an authentic community.
