The largest NFT marketplace in the world said that a staff member at Customer.io, an email vendor hired by OpenSea, misappropriated their employee access to download and distribute email addresses of OpenSea’s users and newsletter subscribers with an illegal outside entity.
The security compromise appears to be of enormous scope. The company stated that if you have provided your email with OpenSea in the past, you should presume you were impacted. As a quick response to the incident, the Company has informed law enforcement and is cooperating with Customer.io in an ongoing investigation.
Screenshots posted on Twitter demonstrate that OpenSea also emailed consumers to alert them to the incident.
Popular NFT giant Opensea attacks
The most latest data breach is far from the only significant attack this year on OpenSea and its subscribers. The famous NFT marketplace’s Discord server was hacked in May, which sparked a flood of phishing attacks. Numerous user wallets were in fact exploited.
The platform experienced one of its most severe attacks to date in January, during which an exploit allowed attackers to sell NFTs without authorization. The market compensated for losses of $1.8 million.
Email newsletter management systems and customer relationship management (CRM) software seem to be a weak point for crypto firms due to the high frequency of data leaks.
A breach of Hubspot, a program similar to Customer.io, affected BlockFi, Swan Bitcoin, NYDIG, and Circle in March. Users’ names, contact information, and email addresses were made available to a third party.
Fatman Terra, a renowned cryptocurrency whistleblower questioned as to whether the outside party simply received the list of email addresses or whether they also received the list of associated blockchain addresses.
An NFT marketplace employee responded by saying that Customer.io does not have access to any wallet addresses.
Customers of OpenSea are complaining about a spike in spam calls, messages, and emails on Twitter. However, the platform cautioned users that dishonest actors may try to contact them using emails with addresses that resemble OpenSea.io, including OpenSea.org or OpenSea.xyz.