Online marketplace for NFTs, OpenSea have informed their customers of an email security breach.
The news of this breach comes only months after a phishing attack that resulted in stolen NFTs. This time, the breach happened internally when an employee of OpenSea’s email vendor Customer.io misused their employee access to download & share email addresses with an unauthorized external party.
If you have shared your email with OpenSea in the past, you should assume you were impacted. OpenSea are currently working with Customer.io in their ongoing investigation, and have reported this incident to law enforcement.
Since they became a thing, NFTs have been scrutinised as unsustainable in many ways. Being vulnerable to fraud and theft is just one reoccurring issue. Marketplaces are clearly still struggling to close loopholes and ensure customers are safe. With occurrences like this, it is no surprise that data breaches are on the rise.
How Can You Protect Yourself on OpenSea?
Because the data compromise included email addresses, there may be a heightened likelihood for email phishing attempts. While safe email practices are always important, OpenSea are recommending that you follow the guidelines listed below and treat any future emails that appear to be from OpenSea carefully.
Please be aware that malicious actors may try to contact you using an email address that looks visually similar to OpenSea’s official email domain, ‘opensea.io’ (such as ‘opensea.org’ or some other variation).
Safety Recommendations:
- Be cautious of phishing emails from addresses trying to impersonate OpenSea. OpenSea will ONLY send you emails from the domain: ‘opensea.io.’ Please do not engage with any email claiming to be from OpenSea that does not come from this email domain.
- Never download anything from an OpenSea email. Authentic OpenSea emails do not include attachments or requests to download anything.
- Check the URL of any page linked in an OpenSea email. OpenSea will only include hyperlinks to ‘email.opensea.io.’ URLs. Make sure that ‘opensea.io’ is spelled correctly, as it’s common for malicious actors to impersonate URLs by shuffling letters.
- NEVER share or confirm your passwords or secret wallet phrases. OpenSea will never prompt you to do this – in any format.
- NEVER sign a wallet transaction prompted directly from an email. OpenSea emails will never contain links which directly prompt you to sign a wallet transaction. Never sign a wallet transaction that doesn’t list the origin of https://opensea.io if you were led there by email.