OpenSea Warns of Phishing Attacks Due to Data Breach
A third-party vendor’s employee misused their access to OpenSea’s customer data, the head of security said
Blockworks Exclusive Art by Axel Rangel
- A Customer.io employee shared email addresses with an unauthorized external party
- OpenSea warned users of fraudsters trying to impersonate the platform by using fake domain names
Collectibles platform OpenSea has alerted customers to a data breach after staff found email addresses were shared with an external party.
Head of Security Cory Hardman said in a blog post on Wednesday that an employee of Customer.io, OpenSea’s email delivery vendor, abused their access by downloading and externally sharing customer data.
“If you have shared your email with OpenSea in the past, you should assume you were impacted,” he wrote. “We are working with Customer.io in their ongoing investigation, and we have reported this incident to law enforcement.”
The company further warned customers might face phishing attacks — attempts by cybercriminals posing as credible institutions with an aim to obtain sensitive information — by using a domain name similar to the official “opensea.io,” such as “opensea.org” or “opensae.io.”
Screenshots posted to Twitter show OpenSea notified customers about the data breach via email. Some users demanded compensation.
Customer.io told Blockworks that the employee in question has been suspended and had access removed, pending an internal investigation. “We are working closely with OpenSea and are reviewing exactly how these email addresses were compromised,” a spokesperson for the vendor company said.
A similar incident occurred in March, when hackers breached third-party marketing vendor HubSpot to target large crypto stakeholders. NYDIG, Pantera Capital, BlockFi, Circle and Swan Bitcoin were among the affected companies.
OpenSea found itself in a sea of trouble thanks to another incident prior the data breach. The Department of Justice earlier this month charged its former head of product, Nathaniel Chastain, with insider trading in connection to non-fungible tokens (NFTs). He was charged with one count of wire fraud and another count of money laundering.
Chastain resigned from his position at OpenSea in September after he was suspected of profiting from inside information and purchasing NFTs before they were posted publicly.
OpenSea remains the leading marketplace by volume by a wide margin, with over six times the sales of the second-largest NFT marketplace over the past 30 days, according to data from DappRadar.
Get the news in your inbox. Explore Blockworks newsletters:
- The Breakdown: Decoding crypto and the markets. Daily.
- 0xResearch: Alpha in your inbox. Think like an analyst.
