The world’s largest NFT marketplace, OpenSea, warned of potential phishing attacks after a data breach by a third party exposed users’ email addresses.
Non-fungible tokens (NFTs) are digital ownership rights recorded on the Ethereum blockchain. They apply to digital or artistic creations such as images, videos, or online content.
OpenSea is worth about $13 billion with approximately 1.5 million customers, according to Dune Analytics. The third-party data breach could impact about 1.8 million newsletter subscribers and customers.
Employee of third-party accessed customer information in the OpenSea data breach
According to OpenSea, an employee of its email delivery company downloaded and shared email addresses with an unauthorized party.
“We recently learned that an employee of Customer.io, our email delivery vendor, misused their employee access to download and share email addresses with an unauthorized external party,” said OpenSea.
“We are working with Customer.io in their ongoing investigation, and we have reported this incident to law enforcement,” OpenSea wrote on its website.
“If we believe your email address was impacted, you’ll receive an email from the domain ‘http://opensea.io’,” the company tweeted on June 30, 2022.
The third party, Customer.io, added that it had revoked access privileges for the employee who shared OpenSea’s email addresses with the unauthorized party.
Additionally, the unauthorized party did not access any other OpenSea customer information, and the data breach did not impact other companies.
OpenSea anticipates that the third-party data breach impacted anybody who has shared their email addresses with the NFT marketplace.
“If you have shared your email with OpenSea in the past, you should assume you were impacted,” the NFT marketplace warned.
“This case is unique because it appears to be an intentional act by a malicious insider, rather than an accidental leak due to faulty procedures or an outside attack from a hacker or hacking group,” Adrien Gendre, Chief Tech and Product Officer at Vade said.
“Third-party vendors pose a significant risk to businesses because, as a customer, you don’t have control over your vendors’ security policies or controls,” Gendre added. “It would be interesting to know if the vendor has a DLP system in place to prevent data from being unlawfully transmitted outside the company, and if so, to learn why or how the data managed to pass to an unauthorized third party.
NFT marketplace warns of phishing from spoofed domains and imposters
The NFT marketplace warned users to avoid phishing emails from any third party or sent from spoofed domains such as opensea.org, opensea.xyz, opensae.io, among others.
Additionally, the NFT marketplace users should avoid downloading attachments from OpenSea emails or confirming passwords or passphrases via email.
Similarly, they should avoid signing transactions sent via emails and those originating outside the https://opensea.io domain.
NFT and crypto marketplaces are lucrative targets for cyber attacks
The recent incident occurred hot on the heels of other data breaches targeting the NFT marketplace.
In February, fraudsters stole NFTs worth $1.7 million through phishing, while hackers compromised a commonly-used Discord bot in May 2022. Other cryptos and NFT marketplaces have also become lucrative targets for attacks.
In May, Circle and BlockFi suffered cyber attacks via the HubSpot content management system while a fraudster stole $150,000 from the Fractal NFT marketplace. Similarly, the Bored Ape Yacht Club lost $360,000 worth of NFT in a phishing attack.
However, the Ronin cyber attack is the mother of all crypto data breaches, with hackers stealing $625 million in March 2022. Cyber forensic experts attributed the data breach to the North Korean hackers, the Lazarus group.
“NFTs are a great example of how ‘possession is nine-tenths of the law,’” Tim Prendergast, CEO of strongDM, said. “If you have possession of the NFT, then you have possession of the NFT. The same goes for access credentials—possession of credentials guarantees access.”
According to Javvad Malik, Security Awareness Advocate at KnowBe4, there was an observable surge in cryptocurrency attacks with social engineering as a popular tactic.
“While the underlying blockchain technology is often secure, people still need to log in to services or their wallet with a username and password,” Malik said. “These credentials can be tricked out of a user through a phishing email, a form, an SMS, or other forms of social engineering technique.”