NFT Platform OpenSea Joins Long List of Crypto Data Breach Victims

OpenSea, the largest non-fungible token (NFT) marketplace by trading volume, has suffered a data breach after an employee at Customer.io, the platform’s email delivery partner, leaked user data.

In a blog post on Thursday, the marketplace said that an employee of Customer.io “misused their employee access to download and share email addresses – provided by OpenSea users and subscribers to our newsletter – with an unauthorized external party.”

An employee of our email vendor, https://t.co/6vM4WAcJal, misused their employee access to download & share email addresses with an unauthorized external party.

Email addresses provided to OpenSea by users or newsletter subscribers were impacted.https://t.co/Osb6qqkqZZ

— OpenSea (@opensea) June 30, 2022

According to OpenSea, all customers who have shared their email with the platform in the past should assume they have been impacted by the breach. The company added this could result in “a heightened likelihood for email phishing attempts trying to impersonate OpenSea.”

OpenSea said that malicious actors may try to contact customers via emails originating from domains that look similar to OpenSea.io, such as OpenSea.org and OpenSea.xyz.

Some customers took to Twitter to share screenshots showing that OpenSea contacted them by email to inform them about the breach.

The company added that it is assisting Customer.io in its ongoing investigation, and has reported the incident to law enforcement.

More crypto data leaks

Although crypto-focused companies usually pay enhanced attention to security aspects of their operations, this is not the first time the space has been hit with a major data leak.

In March, a data breach at HubSpot, a popular customer relations management software firm, resulted in hackers stealing customer data from Circle, BlockFi, Pantera Capital, NYDIG, and other prominent crypto firms.

“The information that may have been accessed includes first and last names, email addresses, mailing addresses, phone numbers, and regulatory classifications,” Pantera said at the time.

Last month, OpenSea also saw its Discord server compromised and flooded with phishing advertisements promoting a scam NFT mint offered in partnership with YouTube.

In January, the NFT platform fell victim to one of its most devastating attacks to date, where hackers used an exploit to buy several NFTs well below their market value. OpenSea later reimbursed about $1.8 million to users who accidentally sold their NFTs, while also rolling out an “inactive listings” feature