Opensea NFT non-fungible token marketplace
Image: Proxima Studio/Adobe Stock

NFT giant OpenSea is warning of a data breach that exposed the email addresses of users and subscribers to the company’s newsletter. In a notice published Wednesday, OpenSea revealed that anyone who shared their email address with the company in the past should assume that they were impacted.

The breach was caused by an employee at Customer.io, the email delivery vendor for OpenSea. As described in the notice, the unnamed employee apparently misused their access to download and share email addresses of OpenSea users and newsletter subscribers with an unauthorized external party. OpenSea said that it’s working with Customer.io to investigate the incident and has also reported it to law enforcement.

With a recent valuation of $13.3 billion, OpenSea is the largest marketplace for trading NFTs, or non-fungible tokens. Purchased using cryptocurrency, NFTs are digital items linked back to a blockchain to record ownership and other details. The latest type of commodity in today’s cyber world, NFTs are unique and tradeable and have aroused interest among many collectors. However, some feel that NFTs are highly speculative and unlikely to hold up as a long-term investment.

SEE: Metaverse cheat sheet: Everything you need to know (free PDF) (TechRepublic)

OpenSea did not disclose how many people or email addresses were compromised in the breach, but it could be close to 2 million. Data collected by crypto analytics site Dune Analytics points to more than 1.8 million users who have made at least one purchase on OpenSea using the Ethereum network.

Why did the OpenSea breach happen?

No motives have yet been revealed as to why the Customer.io employee shared the email addresses externally, but some experts don’t see the incident as accidental.

“Given that the individual had access uniquely to the OpenSea account at Customer.io, it stands to reason that this massive dump of emails likely wasn’t authorized, and secondarily, may have been an intentional malicious action by the individual,” said Karl Steinkamp, director at security advisory firm Coalfire. “As this case unfolds, it will be interesting to see if the person was paid off or blackmailed by the external party for this specific access as a vector to phish and steal NFTs from individuals.”

Stephen Banda, senior manager for security solutions at security service provider Lookout, agrees with Steinkamp’s summation

“When it comes to the data breach at OpenSea, to me this seems to be financially motivated,” Banda said. “There is a lucrative market for stolen information and credentials. In this case, 2 million email addresses of customers of the world’s biggest marketplace for NFTs will be highly attractive to bad actors looking to launch broad phishing attacks.”

What to do if you’ve been impacted

With the email addresses compromised, those affected should prepare themselves for an increase in phishing attempts. OpenSea also shared the following tips for people impacted by the breach:

Watch out for phishing emails from addresses trying to impersonate OpenSea.

Only emails sent from opensea.io are legitimate. Be wary of emails that use variations of that name.

Never download any attachments from an OpenSea email

Legitimate OpenSea emails don’t come with attachments or requests to download files.

Check the URL of any linked page in an OpenSea email

Links in legitimate OpenSea emails will resolve to email.opensea.io. Scrutinize any links to make sure that opensea.io is spelled correctly.

Don’t share passwords or secret wallet phrases

OpenSea will not ask you to share or confirm this type of sensitive information.

Don’t sign a wallet transaction directly from an email

OpenSea emails do not contain links that directly ask you to sign a wallet transaction. Avoid signing any such transaction that does not list https://opensea.io as the origin, especially if you reached it via email.

“Users should also be highly aware of impersonations on social media,” said Ryan McCurdy, vice president of marketing at digital risk firm Bolster. “The crypto and NFT community are extremely active on social media channels like Telegram and Discord. On both these channels, scammers set up groups impersonating almost all of these brands. If someone sends you a link to join these communities, make sure to verify that you are joining the real one.”

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays