OpenSea phishing threat after rogue insider leaks customer email addresses
Worse, imagine someone finding out you bought one of its NFTs
The choppy waters continue at OpenSea, whose security boss this week disclosed the NFT marketplace suffered an insider attack that could lead to hundreds of thousands of people fending off phishing attempts.
An employee of OpenSea's email delivery vendor Customer.io "misused" their access to download and share OpenSea users' and newsletter subscribers' email addresses "with an unauthorized external party," Head of Security Cory Hardman warned on Wednesday.
"If you have shared your email with OpenSea in the past, you should assume you were impacted," Hardman continued.
To be clear: that is a whole lot of email addresses.
OpenSea is basically a virtual super-mall where people buy and sell non-fungible tokens — essentially an electronic receipt on a blockchain for some type of digital asset, like art, music or collectibles. In other words: nothing, which many, including Bill Gates, consider a very foolish purchase indeed.
OpenSea claims to be the largest NFT marketplace, and it boasts a transaction volume of over $20 billion and more than 600,000 users, all of which presumably provided their email addresses at one point.
Plus, there's likely more that simply subscribed to the online bazaar's email list.
"We are working with Customer.io in their ongoing investigation, and we have reported this incident to law enforcement," Hardman said.
- OpenSea staffer charged with insider-trading of NFTs
- Bill Gates says NFTs '100% based on greater fool theory' amid crypto cataclysm
- Crooks steal NFTs worth '$3m' in Bored Ape Yacht Club heist
- SEC nearly doubles cryptocurrency cop roles in special cyber unit
"Because the data compromise included email addresses, there may be a heightened likelihood for email phishing attempts," he added, with some example phishing email domains tossed overboard for good measure.
To wit: opensae[.]io, opensea[.]org, and opensea[.]xyz would be bad domains. Don't trust them, and certainly don't click on any URLs sent from them or otherwise engage with these email domains.
OpenSea only sends emails from opensea.io, and these messages never include attachments or requests for users to download anything, Hardman noted. Also — and this advice basically applies to all aspects of life — never share or confirm passwords or secret wallet phrases when asked to do so by an out-of-the-blue email, he added. Skepticism is healthy, here.
The digital market's privacy breach follows another embarrassing incident for the company that happened earlier this month, when its now-former product boss was arrested and charged with wire fraud and money laundering in the first-ever alleged insider-trading case involving the digital tokens.
Nathaniel Chastain, 31, was employed at OpenSea from January to September 2021.
He resigned from his position as head of product after his employers learned he was secretly purchasing, using anonymous accounts, numerous NFTs of cartoon images and artwork knowing the content was about to be featured on OpenSea's marketplace, according to prosecutors in the case. ®
PS: The US Dept of Justice has charged six people with cryptocurrency fraud involving at least $100 million in intended losses.
- Advanced persistent threat
- Black Hat
- Bug Bounty
- Common Vulnerability Scoring System
- Cybersecurity and Infrastructure Security Agency
- Cybersecurity Information Sharing Act
- Data Protection
- Data Theft
- Digital certificate
- Identity Theft
- Kenna Security
- Palo Alto Networks
- Remote Access Trojan
- RSA Conference
- Trusted Platform Module
- Zero trust