OpenSea API tokens were compromised in a third-party breach, exposing customer information and allowing hackers to make unauthorized requests. The leading NFT marketplace told its customers that their API keys were compromised after a third-party vendor experienced a security incident.
“One of our vendors experienced a security incident that may have exposed information about your OpenSea API key,” the NFT marketplace emailed customers around September 23, 2023.
Although customers were not in immediate danger, OpenSea warned that attackers could utilize their allocated rate and usage limits, preventing owners from fully utilizing their subscriptions.
OpenSea API keys deprecated after a third-party breach
OpenSea advised customers to replace their existing keys, which were to expire on Monday, October 2, 2023.
“The newly generated API keys will have the same permissions and rate limits as the expiring ones,” OpenSea assured its customers.
It remains unclear if the OpenSea API keys rotation would fully protect customers. The company has not disclosed if the third-party breach exposed personal data besides API keys.
Similarly, the number of victims impacted by the OpenSea API third-party breach remains unknown. The data breach could have a significant impact since OpenSea is the second-largest non-fungible token (NFT) marketplace by trading volume (36.5%) after Blur (56.8%), which launched only a year ago.
The company also withheld the breached company’s identity but disclosed that “many Fortune 500 companies” used its services. The third-party breach from a “trusted vendor” highlights the cyber risk external service providers pose to primary organizations.
Seemingly, threat actors cannot abuse the compromised OpenSea API keys to bypass 2FA authentication. Likely, the company has scoped keys for various actions such as authentication and account management, thus reducing the impact of the third-party breach.
Commenting on the OpenSea API third-party breach, Jason Kent, Hacker in Residence at Cequence Security, warned of a “perfect storm.”
“In systems that are automatically used, it is often the case that they are set up with long-term access being a priority, but, as shown here, this is a poor design,” said Kent. “If the data repository is accessible and the keys are compromised, a perfect storm exists where the data can be acquired by a malicious 3rd party. Rotating the keys is extremely important, it should happen early and often, long term key storage is how these types of breaches can occur.”
The OpenSea API keys leak follows another third-party security breach involving the on-chain analytics platform Nansen. The data breach exposed users’ blockchain addresses, password hashes, and email addresses, impacting 6.8% of customers. Threat actors could use the exposed information to phish the victims and commit fraud.
Various security incidents at OpenSea in the past
OpenSea has suffered numerous security challenges in the past. In February 2022, hackers exploited a flaw in the Wyvern Protocol to steal tokens worth $1.7 million by tricking users into transferring tokens without receiving payments. Over 250 NFTs, including the Bored Ape Yacht Club, illegally changed ownership.
In May 2022, hackers compromised OpenSea’s Discord server to promote the “Mint Pass” fake YouTube partnership. They tricked numerous customers into clicking a phishing link, resulting in the theft of assets worth 10 ETH. The attackers created a sense of urgency by offering 100 NFTs to those who claimed them first.
According to blockchain intelligence firm TRM Labs, similar “NFT minting” scams leveraging over 100 compromised Discord servers facilitated the theft of over $22 million between May and July 2022. The attacks exploit admin bot vulnerabilities to access privileged accounts and sometimes lock out moderators to protect spam posts from deletion.
OpenSea also suffered another data breach in June 2022 after an employee of the email delivery platform Customer.io abused their employee access and leaked OpenSea’s customers’ email addresses. The NFT marketplace reported the incident to law enforcement and advised customers to be vigilant for potential phishing attacks.