OpenSea has warned users about a data breach that could lead to phishing attacks. In a blogpost, Cory Hardman, the head of security at OpenSea, said an employee of Customer.io had misused the employee access to download and share email addresses provided by the NFT marketplace’s users and subscribers to the company’s newsletter. There was an “unauthorized external party”.
The blog post called out to users who had shared their email with OpenSea in the past that they should assume that they were impacted. OpenSea is working with Customer.io in the ongoing investigation. This incident has also been reported to law enforcement.
OpenSea also warned about possible phishing attacks by hackers using a domain name similar to the official opensea.io – such as “opensea.org” or “opensae.io”. The NFT marketplace explained that because the data compromise includes email addresses, there may be a heightened likelihood of email phishing attempts. It strongly recommended for users to follow a set of guidelines:
- Not to download anything from OpenSea email: it should be noted that authentic email accounts do not include attachments or requests to “download anything”.
- Be wary of phishing emails from addresses: the platform will only send emails to users from the domain “opensea.io”. Do not engage with any other email claiming to be from OpenSea.
- Check the URL of any page linked to OpenSea email: the platform only includes hyperlinks to “email.opensea.io” URLs. Make sure to spell “opensea.io” correctly as hackers impersonate the URLs by shuffling letters. Be extra careful.
- Never share, reveal or confirm passwords or secret wallet phrases: OpenSea “never” requires this of users.
- Never sign a wallet transaction directly from an email: the platform’s emails will never contain links that prompt you to sign a wallet transaction.
The latest incident comes after OpenSea’s former head of product Nathaniel Chastain was indicted by the Department of Justice with insider trading in connection to NFTs.