OpenSea Users’ Email Addresses Exposed Following Data Breach
Please note that we are not authorised to provide any investment advice. The content on this page is for information purposes only.
While the broader crypto market has suffered a significant downturn, non-fungible tokens (NFTs) have proven to be viable investments. However, services in the crypto space have suffered a spate of security breaches and hacks.
The latest to report a security issue is OpenSea – the largest marketplace for NFTs.
Customer.io Exploit Spills Over to OpenSea
Earlier today, OpenSea took to Twitter to confirm that all of its users who had given their emails to OpenSea had been affected by a massive security breach. According to OpenSea, the breach appears to have been caused by an employee of Customer.io – a mail automation service that helps companies reach out to customers and manage their sales funnels via email marketing and communication.
An employee of our email vendor, https://t.co/6vM4WAcJal, misused their employee access to download & share email addresses with an unauthorized external party.
Email addresses provided to OpenSea by users or newsletter subscribers were impacted.https://t.co/Osb6qqkqZZ
— OpenSea (@opensea) June 30, 2022
The employee at Customer.io leaked Customer.io’s mailing list to a third party. OpenSea confirmed that it is investigating the matter and is working with law enforcement agents but also warned all customers to be wary of potential phishing and malware attacks.
The company especially asserted that attackers might send spam emails to customers with addresses like OpenSea.io or OpenSea.xyz. Several Twitter users have already reported cases of phishing attempts, confirming that the attackers would most likely intensify their efforts in the near future.
My info was breached thanks to OpenSea and Customer io 😂 Lord Jeebus help me. I was wondering why I had so many spammy texts, phone calls, and emails lately. 🙄
— Metzilmazatl (Moon Deer)🪶🏳️🌈 (@TheAscendant3) June 30, 2022
This customer.io breach is not the first security compromise that OpenSea has had. An exploit that occurred in January allowed attackers to sell NFT tokens on OpenSea without permission. Although the company solved the problem quickly, it had to pay $1.8 million in victim reimbursements and settlements.
Last month, hackers gained control of OpenSea’s main Discord page. At the time, a screenshot shared by industry news publication Wu Blockchain showed that the attackers had begun sharing news of a “YouTube collaboration” as well as a link to a phishing page.
The official OpenSea Discord was hacked and posted a link to a phishing site in partnership with youtube. On April 1st, a large number of blue-chip NFT DISCORDs were hacked and posted phishing links. pic.twitter.com/uDbNklIgn3
— Wu Blockchain (@WuBlockchain) May 6, 2022
The initial post from the hacker, which was published on the Discord channel’s announcements page, announced that OpenSea had partnered with YouTube to “bring their community into the NFT space”. They also claimed that community members would get a mint pass that would allow them to mint their projects and invest in NFTs for free.
OpenSea eventually confirmed the hack, asking community members to be wary of phishing scams. They also recommended that members avoid clicking links on the Discord channel for the time being.
Do not click links in our Discord.
We are continuing to investigate this situation and will share information as we have it. https://t.co/jgtHcXifer
— OpenSea Support (@opensea_support) May 6, 2022
Despite the company’s best efforts, it would appear that the intruder was able to stay on the server for quite some time. They posted follow-up messages to the Discord channel, even reposting their fake link and claiming that over half of their fake collection’s supply had already been minted.
It is unclear how much was stolen in the phishing attack of last month. However, the company will now be working towards regaining customer trust.
Security an Increasing Problem for NFT Companies
Although OpenSea has suffered multiple hacks this year, it is not the only NFT brand with this problem.
Yuga Labs, the company behind the wildly popular Bored Ape Yacht Club NFTs, has also been dealing with a rise in scams and security breaches for the past month. On June 5, blockchain investigator OKHotshot revealed that hackers had broken into the Discord group of the Bored Ape NFTs and Yuga Labs’ metaverse project, Otherside.
🚨BAYC & OtherSide discords got compromised‼️
Seems because Community Manager @BorisVagner got his account breached, which let the scammers execute their phishing attack. Over 145E in was stolen
Proper permissions could prevent this pic.twitter.com/lCl2DfZQ0W
— OKHotshot (@NFTherder) June 4, 2022
As OKHotshot explained, the attack was possible because the hackers broke into the Twitter account of Boris Vagner – Yuga Labs’ community and social manager. They managed to make away with 145 ETH in the hack.
Weeks later, Gordon Goner – Yuga Labs’ pseudonymous co-founder – took to Twitter, once more, to warn community members of another hack on the way. He claimed that “credible sources” had informed him that an insider at Twitter was in on the plot to help them bypass their accounts’ security measures. Goner asked community members to be very alert.
We’ve received credible information that there may soon be an attack on our social media accounts, using an inside source at @Twitter to bypass our security.
There are no surprise mints. Ever.
— GordonGoner.eth (@GordonGoner) June 11, 2022
With the market looking to stabilise, NFT brands will want to invest more into their security infrastructure as they look to scale.
Buy Crypto at eToro from just $50 Now!