UPDATED OpenSea, the world’s largest non-fungible token (NFT) marketplace, has revealed that a rogue employee at a third-party vendor has shared its users email addresses with an unauthorized external entity.
“If you have shared your email with OpenSea in the past, you should assume you were impacted,” users were warned by OpenSea head of security Cory Hardman in a blog post yesterday (June 29).
According to OpenSea, the culprit was employed by Customer.io, an automated messaging platform used by marketers to create and send emails, push notifications, and SMS messages.
“We recently learned that an employee of Customer.io, our email delivery vendor, misused their employee access to download and share email addresses – provided by OpenSea users and subscribers to our newsletter – with an unauthorized external party,” said Hardman.
“We are working with Customer.io in their ongoing investigation, and we have reported this incident to law enforcement.”
Customer.io issued the following statement to The Daily Swig:
As soon as we learned of the incident, we took immediate steps to investigate, contain its impact and determine its source, including hiring a third-party forensic investigations firm. We are working closely with OpenSea and are reviewing exactly how these email addresses were compromised.
We believe this resulted from the actions of an employee who had role-specific access privileges that were abused. We do not believe any other clients’ data has been compromised, but we are continuing to investigate. The employee in question has had all access removed and has been suspended pending the conclusion of our investigation.
Additionally we are always working to improve our security and we have launched a comprehensive review of our access and compliance policies and will make adjustments where necessary.
Phishing warning
Hardman warned users of “a heightened likelihood for email phishing attempts”, and urged them to “be alert for any attempt to impersonate OpenSea” from email addresses that look “visually similar to our official email domain, ‘opensea.io’ (such as ‘opensea.org’ or some other variation).”
Moreover, continued Hardman, users should always scrutinize embedded hyperlinks before clicking, and never download attachments from emails purporting to be from OpenSea, or share passwords or secret wallet phrases, or sign wallet transactions, when prompted via email.
Over on Twitter, security researcher ‘CIA Officer’ advised users to be vigilant about the use phishing tool Email Appender, IP-loggers, and canary tokens.
“I strongly recommend checking email header, domain and disable ‘download remote content’, also do not forget about MFA [multi-factor authentication]!” they added.
Founded in in New York in 2017, OpenSea claims to be the world’s first as well as biggest marketplace focused on NFTs and crypto collectibles.