In a blog post, OpenSea warned that everyone who has shared their emails with the company should assume the breach affects them—including people who subscribe to its newsletter. The company urged its users to be vigilant for potential phishing attacks.
Details of the OpenSea Data Breach
According to OpenSea, an employee of its email delivery vendor, Customer.io, is the source of the breach. The employee reportedly abused their access to download OpenSea users’ email addresses, and share them with an unauthorized third party. OpenSea said it is assisting Customer.io in its investigation and has notified law enforcement. “If you have shared your email with OpenSea in the past, you should assume you were impacted. We are working with Customer.io in their ongoing investigation, and we have reported this incident to law enforcement,” OpenSea said. In a tweet, the company added that it will reach out to potentially affected customers via email from the opensea.io domain. The company cautioned users about the likelihood of threat actors impersonating OpenSea in emails.
Heightened Likelihood of Phishing Attacks
Cybercriminals are increasingly targeting crypto and NFT marketplaces, motivated by the possibility of ill-gotten gains. While email is the most common avenue for phishing attacks, malicious actors are becoming more creative. They are targeting users on platforms such as Discord, taking over accounts and chatbots to spread malicious links disguised as token drops. Earlier this year, OpenSea users lost $1.7 million worth of tokens in a phishing attack. With this in mind, OpenSea warned its users about potential phishing attacks in the future. The company provided a list of guidelines to help its users stay safe, telling them to look out for visually similar but misspelled domain names. OpenSea also told its users to never download anything from an “OpenSea” email, as the company does not include attachments or requests to download in any of their emails. OpenSea reminded its users to check URLs thoroughly and to never share/confirm passwords or seed phrases. The company warned that users should never sign a wallet transaction that comes directly from an email. “Because the data compromise included email addresses, there may be a heightened likelihood for email phishing attempts,” OpenSea said. “While safe email practices are always important, we strongly recommend that you follow the guidelines… and treat any future emails that appear to be from OpenSea carefully.” If you found this story interesting, we recommend checking out our detailed article on phishing. It includes useful tips to help you identify phishing attacks and keep your data safe.
