OpenSea Suffers Data Breach, Users’ Emails Leaked

OpenSea Application on Smartphone

Popular NFT marketplace OpenSea on Wednesday revealed it suffered a data breach, which allowed an unauthorized third party to gain access to its users’ email addresses.

In a blog post, OpenSea warned that everyone who has shared their emails with the company should assume the breach affects them—including people who subscribe to its newsletter. The company urged its users to be vigilant for potential phishing attacks.

Details of the OpenSea Data Breach

According to OpenSea, an employee of its email delivery vendor, Customer.io, is the source of the breach. The employee reportedly abused their access to download OpenSea users’ email addresses, and share them with an unauthorized third party.

OpenSea said it is assisting Customer.io in its investigation and has notified law enforcement.

“If you have shared your email with OpenSea in the past, you should assume you were impacted. We are working with Customer.io in their ongoing investigation, and we have reported this incident to law enforcement,” OpenSea said.

In a tweet, the company added that it will reach out to potentially affected customers via email from the opensea.io domain. The company cautioned users about the likelihood of threat actors impersonating OpenSea in emails.

Heightened Likelihood of Phishing Attacks

Cybercriminals are increasingly targeting crypto and NFT marketplaces, motivated by the possibility of ill-gotten gains.

While email is the most common avenue for phishing attacks, malicious actors are becoming more creative. They are targeting users on platforms such as Discord, taking over accounts and chatbots to spread malicious links disguised as token drops. Earlier this year, OpenSea users lost $1.7 million worth of tokens in a phishing attack.

With this in mind, OpenSea warned its users about potential phishing attacks in the future. The company provided a list of guidelines to help its users stay safe, telling them to look out for visually similar but misspelled domain names.

OpenSea also told its users to never download anything from an “OpenSea” email, as the company does not include attachments or requests to download in any of their emails.

OpenSea reminded its users to check URLs thoroughly and to never share/confirm passwords or seed phrases. The company warned that users should never sign a wallet transaction that comes directly from an email.

“Because the data compromise included email addresses, there may be a heightened likelihood for email phishing attempts,” OpenSea said. “While safe email practices are always important, we strongly recommend that you follow the guidelines… and treat any future emails that appear to be from OpenSea carefully.”

If you found this story interesting, we recommend checking out our detailed article on phishing. It includes useful tips to help you identify phishing attacks and keep your data safe.

Technology policy researcher
Prateek is a technology policy researcher with a background in law. His areas of interest include data protection, privacy, digital currencies, and digital literacy. Outside of his research interests, Prateek is an avid reader and is engaged in projects on sustainable farming practices in India.