- NFT exchange Opensea has warned of imminent phishing attempts after its email database was compromised
- An employee for Opensea’s email vendor Customer.io downloaded and shared the entire Opensea email database
- The situation will be familiar to Ledger users, who faced the same thing in 2020
Opensea has warned its users to expect phishing attacks over email after a huge data breach. The NFT marketplace warned that a staff member at Customer.io, an email vendor used by Opensea, illegally downloaded and shared email addresses of the platform’s users and newsletter subscribers with an unauthorised third party. The breach is reminiscent of the Ledger hacks of 2020, for which the company is still paying a reputational price.
Opensea Database Downloaded by Email Vendor
Opensea warned of the breach late on Wednesday, meaning that yesterday was when most users will have received the news. The exchange posted about the news on Twitter, saying that it was sending an email to all affected users, which seems to be anyone who has ever submitted an email address to the platform, before adding that hackers might use this opportunity to…engage in a phishing attack:
An employee of our email vendor, https://t.co/6vM4WAcJal, misused their employee access to download & share email addresses with an unauthorized external party.
Email addresses provided to Opensea by users or newsletter subscribers were impacted.https://t.co/Osb6qqkqZZ
— Opensea (@opensea) June 30, 2022
This is similar to the situation faced by Ledger users who were inundated with phishing attempts, including many that supposedly emanated from Ledger itself, when the hardware wallet maker suffered a series of data breaches.
Inside Job Prompts Safety Reminders
Opensea said that the Customer.io employee in question “had role-specific access privileges that were abused”, suggesting that this was an inside job for which they were paid by hackers, and added that the person has had “all access removed and has been suspended pending the conclusion of our investigation.”
Opensea issued a list of precautions users should take to avoid being victims of any phishing attempts that result from the breach, including never downloading anything from an Opensea email, checking the domain is ‘opensea.io’, and ensuring any links are genuine before following them.
Customer.io has so far failed to mention the breach on its social media accounts, with Opensea taking all the flak so far, despite it being nothing to do with them.