View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

NFT marketplace OpenSea reports massive data breach that could affect millions of users

A breach at the marketplace's email provider has left millions of its users exposed to possible attacks.

By Claudia Glover

The world’s largest NFT marketplace OpenSea has incurred a data breach after an employee at its email delivery service leaked user data. The breach could affect millions of people, as any customer who has shared their email address with the company may be vulnerable, it says.

OpenSea marketplace
The breach could affect millions of people, as any customer who has shared their email address with the company may be vulnerable, it says. (Photo Illustration by Sheldon Cooper/SOPA Images/LightRocket via Getty Images)

OpenSea released a statement late last night claiming that an employee at Customer.io, a marketing platform it uses to deliver emails to customers, “misused their employee access to download and share email addresses” with an “unauthorised external party”.

The scale of the OpenSea data breach appears to be massive as any customer who has shared an email address with the company has been urged to remain on high alert for phishing scams. “Please stay vigilant about your email practices,” reads the statement. “Be alert for any attempt to impersonate OpenSea via email.”

The company says it is assisting Customer.io with its own investigation and has reported the incident to law enforcement.

A spokesperson for Customer.io said: “As soon as we learned of the incident, we took immediate steps to investigate, contain its impact and determine its source, including hiring a third-party forensic investigations firm. We are working closely with OpenSea and are reviewing exactly how these email addresses were compromised.

“We believe this resulted from the actions of an employee who had role-specific access privileges that were abused. We do not believe any other clients’ data has been compromised, but we are continuing to investigate. The employee in question has had all access removed and has been suspended pending the conclusion of our investigation.”

The company says it has launched a comprehensive review of its access and compliance policies and will make adjustments where necessary.

What is OpenSea?

OpenSea is the biggest trading platform for non-fungible tokens, or NFTs, unique digital assets which can represent anything from a piece of art to a concert ticket. In January the platform reportedly generated nearly $5bn in trading volume, and in April the company was valued at $13.3bn after a $300m Series C funding round led by Paradigm and Coatue.

Content from our partners
Why enterprises of all sizes must  embrace smart manufacturing solutions
European Technology Leadership: Deutsche Bank CTO Gordon Mackechnie
Print’s role in driving the environmental agenda

Over 1.8 million users have made at least one NFT purchase through the Ethereum network on OpenSea in the past month, according to data correlated by open source crypto analytics platform Dune Analytics. 

Email delivery platforms are a targeted vulnerability for breaches

OpenSea took to Twitter to warn customers about the data breach, and users appear to be already experiencing the consequences.

This is not the first time an email provider has been targeted as a weak spot for crypto platforms. In March a similar service to Customer.io, Hubspot, suffered a breach that exposed personally identifiable information (PII) like usernames, phone numbers and emails from several blockchain-driven wealth management platforms including Swan Bitcoin, BlockFi, Circle and NYDG.

Read more: The biggest cryptocurrency hacks of all time

Topics in this article:
Websites in our network
NEWSLETTER Sign up Tick the boxes of the newsletters you would like to receive. Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
I consent to New Statesman Media Group collecting my details provided via this form in accordance with the Privacy Policy
SUBSCRIBED

THANK YOU