Last night, OpenSea — widely regarded as the world’s most popular NFT marketplace — dropped a bombshell of a blog post. According to their report, they use Customer.io as an email vendor. The problem? One of the vendor’s employees “misused their employee access to download & share email addresses [of OpenSea’s userbase] with an unauthorized third party.”
Ultimately, the scale of the security breach seems to be simply massive. A large chunk of OpenSea’s active user base of over 1.5 million, in addition to anyone who subscribed to its newsletter, may have had their email address compromised. “If you have shared your email with OpenSea in the past, you should assume you were impacted,” the company said.
On Twitter, a number of OpenSea users are already complaining about an uptick in spam emails, calls, and text messages.
Should you worry about the OpenSea breach?
One of the most prevalent forms of hacking attacks and thefts in the NFT space is the age-old phishing attack. Since 2021, hackers have successfully plundered millions of dollars worth of NFTs via malicious links across the entire space: OpenSea included.
With so many email addresses from OpenSea users exposed, bad actors could easily impersonate OpenSea or its employees, goading users into clicking links that would see their NFT wallets and collections emptied in a flash. The NFT giant itself has warned users in a thread on Twitter about what they might find in their email inboxes in the coming weeks.
OpenSea informed users via email if their addresses were among those sold off to the third party in the data breach. Some users were quick to point out the irony of it all.
With OpenSea still recovering from the highly-publicized case of insider trading done by one of its former employees, this data breach has dealt yet another blow to the NFT marketplace’s public image. As of writing, Customer.io’s investigation on the matter is still currently ongoing, with no indication on OpenSea’s end if they will continue or cease their relationship with the email service provider.
How to stay safe
You likely don’t want to change your email because of this breach. Totally understandable. So, here’s what you need to do in order to keep yourself safe:
- Look out for emails from OpenSea and ensure the address is correct: OpenSea will only send you emails from the domain: “opensea.io.”
- Never download anything from an OpenSea email: OpenSea emails will never include any attachments. Never.
- Check the URL of any page linked in an OpenSea email: Hyperlinks should always point to “email.opensea.io” URLs. Double-check to ensure that “opensea.io” is spelled correctly.
- Never share or confirm your passwords or secret wallet phrases: Not with OpenSea or anyone else. Ever.
- Never sign a wallet transaction prompted directly from an email: OpenSea emails will never contain links that prompt you to sign a wallet transaction.
- Never sign a wallet transaction that doesn’t list the right origin: It should always say “https://opensea.io” if you were led there by email.