View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
June 30, 2022updated 17 Aug 2022 9:10am

NFT marketplace OpenSea reports massive data breach that could affect millions of users

A breach at the marketplace's email provider has left millions of its users exposed to possible attacks.

By Claudia Glover

The world’s largest NFT marketplace OpenSea has incurred a data breach after an employee at its email delivery service leaked user data. The breach could affect millions of people, as any customer who has shared their email address with the company may be vulnerable, it says.

OpenSea marketplace
The breach could affect millions of people, as any customer who has shared their email address with the company may be vulnerable, it says. (Photo Illustration by Sheldon Cooper/SOPA Images/LightRocket via Getty Images)

OpenSea released a statement late last night claiming that an employee at Customer.io, a marketing platform it uses to deliver emails to customers, “misused their employee access to download and share email addresses” with an “unauthorised external party”.

The scale of the OpenSea data breach appears to be massive as any customer who has shared an email address with the company has been urged to remain on high alert for phishing scams. “Please stay vigilant about your email practices,” reads the statement. “Be alert for any attempt to impersonate OpenSea via email.”

The company says it is assisting Customer.io with its own investigation and has reported the incident to law enforcement.

A spokesperson for Customer.io said: “As soon as we learned of the incident, we took immediate steps to investigate, contain its impact and determine its source, including hiring a third-party forensic investigations firm. We are working closely with OpenSea and are reviewing exactly how these email addresses were compromised.

“We believe this resulted from the actions of an employee who had role-specific access privileges that were abused. We do not believe any other clients’ data has been compromised, but we are continuing to investigate. The employee in question has had all access removed and has been suspended pending the conclusion of our investigation.”

The company says it has launched a comprehensive review of its access and compliance policies and will make adjustments where necessary.

Content from our partners
How businesses can safeguard themselves on the cyber frontline
How hackers’ tactics are evolving in an increasingly complex landscape
Green for go: Transforming trade in the UK

What is OpenSea?

OpenSea is the biggest trading platform for non-fungible tokens, or NFTs, unique digital assets which can represent anything from a piece of art to a concert ticket. In January the platform reportedly generated nearly $5bn in trading volume, and in April the company was valued at $13.3bn after a $300m Series C funding round led by Paradigm and Coatue.

Over 1.8 million users have made at least one NFT purchase through the Ethereum network on OpenSea in the past month, according to data correlated by open source crypto analytics platform Dune Analytics. 

Email delivery platforms are a targeted vulnerability for breaches

OpenSea took to Twitter to warn customers about the data breach, and users appear to be already experiencing the consequences.

This is not the first time an email provider has been targeted as a weak spot for crypto platforms. In March a similar service to Customer.io, Hubspot, suffered a breach that exposed personally identifiable information (PII) like usernames, phone numbers and emails from several blockchain-driven wealth management platforms including Swan Bitcoin, BlockFi, Circle and NYDG.

Read more: The biggest cryptocurrency hacks of all time

Topics in this article :
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU