The Sandbox, a blockchain-based metaverse company, released a warning regarding a security breach.
The company explained in a blog post on Thursday that an unauthorized third party accessed an employee’s computer and sent a fraudulent email to the platform’s users.
The fraudulent email was titled “The Sandbox Game (PURELAND) Access,” sent on Feb. 26. and contained links that could install malware on a user’s computer if clicked on. This malware would give the third party control over the user’s computer, allowing access to their personal information. The company has stated that the third party only had access to the single employee’s computer and was unable to access any other service or account of The Sandbox.
The only data the attacker had access to was email addresses of The Sandbox users, the company said. So far, no financial loss has been reported.
The Sandbox warned users to be wary of potential phishing attacks following the breach, telling targeted users “not to open, play, or download anything from the hyperlinked website.” It also recommended that users strengthen their passwords, implement two-factor authentication, and avoid clicking on suspicious links.
The project has taken quick action to address the issue, including emailing users who may have received the fraudulent email, blocking the employee’s accounts and access and resetting all related passwords with two-factor authentication. The employee’s laptop was also reformatted, and the company said it was working to improve its security policies and practices.
This breach is the latest in a string of email-phased phishing attempts aimed at stealing crypto assets or extracting information of crypto users. Just recently, the email system of domain name registrar Namecheap was breached, resulting in a widespread fake phishing campaign which told users to upgrade crypto wallets.
There have been times when hackers have been able to steal large sums of money with these types of phishing email campaigns. For example, in February 2022, a bad actor stole about $2 million worth of NFTs from OpenSea users by tricking them into signing a malicious transaction sent via an email link.