OpenSea is the largest marketplace for non-fungible tokens (NFT). This week, they announced that Customer.io employees accessed and downloaded the company’s email list. They stated that anyone who previously shared their email address on the platform should assume they are affected.
OpenSea has almost 2 million users at the moment. That’s huge!
“Please be aware of malicious actors trying to contact you using an address that looks visually similar to our official email domain, opensea.io (such as opensea.org) or any other variation,” the company stated to its users in a statement regarding the data leak.
Paul Laudanski is the head of threat intelligence for Tessian email security company. He says insider abuse can be challenging to find, even if an authorized user is involved. He recommends that all organizations should review third-party risk management protocols to ensure they have a clear understanding of where and how data is stored.
He further said that this data breach is a stark reminder of the dangers of insider threats. “An authorized user misappropriated their employee access to OpenSea’s users email addresses and newsletter subscribers with an untrusted external party.”
According to OpenSea, the company cooperates with law enforcement to investigate this incident.
Table Of Contents π
Safety Recommendations By OpenSea
1. Please be careful when checking phishing emails from unknown addresses claiming to be OpenSea. OpenSea will only send you emails from the address opensea.io.’ Please don’t respond to emails or open links sent from other extensions.
2. OpenSea emails are not authorized to send you any files. Authentic OpenSea emails do not contain attachments or requests for downloading anything.
3. Check the URL of any page linked in an OpenSea email. We will only include hyperlinks to the ’email.opensea.io.’ URLs. Make sure that ‘opensea.io’ is spelled correctly, as it’s common for malicious actors to impersonate URLs by shuffling letters.
4. Never share your secret wallet phrases or passwords. OpenSea will not ask you to confirm your passwords or personal wallet phrases – in any format.
5. Never sign a wallet transaction that is prompted by an email. OpenSea emails won’t contain links that direct you to sign a wallet transfer.
Profitable Dataset for Cybercrooks
Stephen Banda is a senior manager at Lookout and believes the breach was motivated by financial gain, as the OpenSea email database can be a lucrative source of data for cybercriminals.
He notes that there is a huge market for stolen credentials and information. Bad actors will find it attractive to use 2 million email addresses to target broad phishing attacks.
Karl Steinkamp, Coalfire director, believes attackers can use the email list to steal NFTs and other sensitive information from OpenSea users.
Steinkamp warns that email address disclosure gives the attacker a strong base of active individuals to steal NFTs and distribute malware. Therefore, OpenSea emails about ongoing and new activities should be sent to individuals and companies by OpenSea. They should not be opened manually via the opensea.io site.
Laudanski warns that more businesses are turning to NFTs to market and increase brand awareness.
He notes a growing trend of hackers trying to steal transactions from wallet owners using fraudulent means. “This announcement should be a wake-up call to all crypto startups to audit their security practices and those of third-party vendors and partners.”
Popular Stories You Should Check: