OpenSea Customer Emails Exposed in Third-Party BreachNo Bored Apes Were Harmed In Breach Affecting Millions of Users
Add the risk of phishing to the woes afflicting patrons of non-fungible token marketplace OpenSea after a rogue email delivery vendor employee downloaded the company's email address database and shared it "with an unauthorized external party."
Anyone who shared an email address with the marketplace famous for selling blockchain entries tied to digital images of anthropomorphized apes must assume their email address has been comprised, the company says. OpenSea claims to be the largest NFT marketplace; nearly 1.9 million users have made at least one transaction on the platform, shows data from blockchain market firm Dune Analytics.
A blog post from Cory Hardman, the company's head of security, says an employee at email vendor Customer.io downloaded and shared with an external party OpenSea's customer and newsletter subscriber list.
As a result, OpenSea is warning customers of a heightened likelihood of email phishing attempts. "Malicious actors may try to contact you using an email address that looks visually similar to our official email domain, 'opensea.io' (such as 'opensea.org' or some other variation)," Hardman wrote.
OpenSea's offerings are undergoing a rough patch. Dune Analytics shows OpenSea trading volumes declining sharply this month. Prices aggregated by NFT Price Floor indicates the value of the Bored Ape Yacht Club line of NFT apes has plunged more than 40% since its April high.
OpenSea says it has informed law enforcement authorities and is also cooperating with Customer.io's ongoing investigation.
A Customer.io spokesperson tells Information Security Media Group that it took "immediate steps to investigate, contain its impact and determine its source, including hiring a third-party forensic investigations firm." It says it is working closely with OpenSea and reviewing how the email addresses were compromised.
"We believe this resulted from the actions of an employee who had role-specific access privileges that were abused. We do not believe any other clients' data has been compromised, but we are continuing to investigate," the spokesperson says. The employee in question is under suspension pending the outcome of the investigation and no longer has access to company systems, the spokesperson also says.
No Blockchain Addresses Leaked
Customer.io does not have any access to blockchain wallet addresses, and only email addresses were compromised in the process, confirms Anne Fauvre-Willis, OpenSea vice president of special projects. No email content was leaked, only email addresses, she also says on Twitter.
@FatManTerra https://t.co/S6A49fS8IR doesn't have access to any wallet addresses. An employee of our email vendor, https://t.co/S6A49fS8IR, misused their employee access to download & shared email addresses with an unauthorized external party.— Anne Fauvre-Willis (anniefauv.eth | anniefauv.sol) (@AnnieFauv) June 30, 2022
OpenSea offers the following safety recommendations:
- Be cautious of emails from addresses trying to impersonate OpenSea.
- Never download anything from an OpenSea email because the company does not include attachments or requests to download anything.
- Check the URL of any page linked in an OpenSea email; only hyperlinks to 'email.opensea.io' are sent in legitimate messages.
- Do not share or confirm your passwords or secret wallet phrases.
- Never sign a wallet transaction prompted directly from an email.