The world’s largest NFT marketplace OpenSea has incurred a data breach after an employee at its email delivery service leaked user data. The breach could affect millions of people, as any customer who has shared their email address with the company may be vulnerable, it says.
OpenSea released a statement late last night claiming that an employee at Customer.io, a marketing platform it uses to deliver emails to customers, “misused their employee access to download and share email addresses” with an “unauthorised external party”.
The scale of the OpenSea data breach appears to be massive as any customer who has shared an email address with the company has been urged to remain on high alert for phishing scams. “Please stay vigilant about your email practices,” reads the statement. “Be alert for any attempt to impersonate OpenSea via email.”
The company says it is assisting Customer.io with its own investigation and has reported the incident to law enforcement.
A spokesperson for Customer.io said: “As soon as we learned of the incident, we took immediate steps to investigate, contain its impact and determine its source, including hiring a third-party forensic investigations firm. We are working closely with OpenSea and are reviewing exactly how these email addresses were compromised.
“We believe this resulted from the actions of an employee who had role-specific access privileges that were abused. We do not believe any other clients’ data has been compromised, but we are continuing to investigate. The employee in question has had all access removed and has been suspended pending the conclusion of our investigation.”
The company says it has launched a comprehensive review of its access and compliance policies and will make adjustments where necessary.
What is OpenSea?
OpenSea is the biggest trading platform for non-fungible tokens, or NFTs, unique digital assets which can represent anything from a piece of art to a concert ticket. In January the platform reportedly generated nearly $5bn in trading volume, and in April the company was valued at $13.3bn after a $300m Series C funding round led by Paradigm and Coatue.
Over 1.8 million users have made at least one NFT purchase through the Ethereum network on OpenSea in the past month, according to data correlated by open source crypto analytics platform Dune Analytics.
Email delivery platforms are a targeted vulnerability for breaches
OpenSea took to Twitter to warn customers about the data breach, and users appear to be already experiencing the consequences.
This is not the first time an email provider has been targeted as a weak spot for crypto platforms. In March a similar service to Customer.io, Hubspot, suffered a breach that exposed personally identifiable information (PII) like usernames, phone numbers and emails from several blockchain-driven wealth management platforms including Swan Bitcoin, BlockFi, Circle and NYDG.