OpenSea users’ email addresses leaked in data breach

NFT marketplace OpenSea shared today that it’s the victim of another data breach — though this time the target is one of its vendors. An employee of its email delivery vendor, Customer.io, allegedly downloaded and shared stored email addresses associated with OpenSea accounts and newsletter subscriptions with an unknown third party. Any OpenSea account holder or newsletter subscriber should assume their email address was among those impacted, according to a blog post by the company’s head of security Cory Hardman. At this time it does not appear any passwords or other personal information was stolen.

The company is working with Customer.io to investigate the matter. “Please stay vigilant about your email practices, and be alert for any attempt to impersonate OpenSea via email,” wrote Hardman.

Unlike a previous phishing attack on OpenSea in February that resulted in hundreds of NFTs being stolen, there appears to be no further reported damage beyond the leaked email addresses. Still, the number of people likely impacted by the breach is significant. Hackread noted that 1.8 million users made purchases through the Ethereum network on OpenSea, according to data from Dune Analytics.

Yesterday the company sent emails to OpenSea users who they suspected were involved, warning them to be on the lookout for phishing emails and other scams. Beyond standard advice such as not to download attachments or click on a link from an OpenSea email, users were also warned not to sign wallet transactions directly from an email or to share or confirm secret wallet phrases.

The identity of the third party who received the breached email addresses has not been revealed. A representative from Customer.io toldTechCrunch that the employee behind the breach had “role-specific” access to the OpenSea data that they abused. “We do not believe any other clients’ data has been compromised, but we are continuing to investigate. The employee in question has had all access removed and has been suspended pending the conclusion of our investigation.”