NFT marketplace OpenSea warns of data breach that could lead to phishing attacks

“If you have shared your email with OpenSea in the past, you should assume you were impacted.”

Graham Cluley
@gcluley

NFT marketplace OpenSea warns of massive data breach

Popular NFT marketplace OpenSea has warned users that they might be targeted with phishing attacks following a data breach that exposed the email addresses of its users and newsletter subscribers.

In a blog update, OpenSea’s head of security Cory Hardman broke the bad news:

“If you have shared your email with OpenSea in the past, you should assume you were impacted.”

However, you would be wrong to think that OpenSea was breached directly.

Instead, according to Hardman, an employee of Customer.io – OpenSea’s email delivery vendor – abused their privileges to download OpenSea’s user email and newsletter email lists. This data was then shared with an unauthorised third party.

It is easy to imagine how cybercriminals and fraudsters could abuse a list of OpenSea’s users’ contact details to send convincing-looking phishing emails that might pretend to come from OpenSea.

Sign up to our newsletter
Security news, advice, and tips.

OpenSea says it has alerted law enforcement about the incident, and presumably has some pretty harsh words to share with Customer.io as well.

In addition, OpenSea is emailing affected users warning about the breach.

In its advisory, OpenSea has shared the following advice:

  • Be cautious of phishing emails from addresses trying to impersonate OpenSea. OpenSea will ONLY send you emails from the domain: ‘opensea.io.’ Please do not engage with any email claiming to be from OpenSea that does not come from this email domain.
  • Never download anything from an OpenSea email. Authentic OpenSea emails do not include attachments or requests to download anything.
  • Check the URL of any page linked in an OpenSea email. We will only include hyperlinks to ‘email.opensea.io.’ URLs. Make sure that ‘opensea.io’ is spelled correctly, as it’s common for malicious actors to impersonate URLs by shuffling letters.
  • NEVER share or confirm your passwords or secret wallet phrases. OpenSea will never prompt you to do this – in any format.
  • NEVER sign a wallet transaction prompted directly from an email.OpenSea emails will never contain links which directly prompt you to sign a wallet transaction. Never sign a wallet transaction that doesn’t list the origin of https://opensea.io if you were led there by email.

OpenSea claims to have over 600,000 users.

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.


Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

What do you think? Leave a comment

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.