OpenSea – one of the most popular NFT-centric platforms – has reported a data breach affecting the personally-identifying information (PII) of customers subscribed to the company’s mailing list.
Lax External Security at Fault
The breach was not caused by OpenSea itself, the firm explained. Rather, it was due to an employee of Customer.io, a third-party platform hired by OpenSea to manage social media communications.
This is not the first time Customer Relationship Management (CRMs) platforms have proven to be a chink in the armor for crypto and NFT platforms. As recently as March, a similar CRM – Hubspot – was responsible for a nearly identical data breach affecting Circle, Swan Bitcoin, BlockFi, and NYDIG.
An Uptick in Phishing Attempts Expected
OpenSea officially announced the breach in a blog post published only a few hours ago. In the statement, the company warned users that the amount of data stolen is suspected to be rather large, advising them to be extra vigilant.
On Twitter, OpenSea customers are already reporting suspicious e-mails, phone calls, and messages directed at them, which are believed to be taking place due to info stolen by the Customer.io employee.
My info was breached thanks to OpenSea and Customer io 😂 Lord Jeebus help me. I was wondering why I had so many spammy texts, phone calls, and emails lately. 🙄
— Metzilmazatl (Moon Deer)🪶🏳️🌈 (@TheAscendant3) June 30, 2022
The spokesperson for OpenSea also confirmed that the team has already contacted the relevant legal authorities about the breach. Unlike recent exploits of blockchain-related platforms, this attack is centered on customer data – which, unlike tokens, are heavily protected by governments around the world.
“If you have shared your email with OpenSea in the past, you should assume you were impacted. We are working with Customer.io in their ongoing investigation, and we have reported this incident to law enforcement. Please stay vigilant about your email practices, and be alert for any attempt to impersonate OpenSea via email.”
OpenSea has already begun to send out e-mails to addresses confirmed to have been affected, briefly explaining how the breach came about and warning users to be on their guard.
OpenSea data breach. pic.twitter.com/FEtDKsoHje
— eric.eth (@econoar) June 30, 2022
Several anti-phishing best practices are also touched on in the e-mail – along with a reminder that opensea.io is the only legitimate website domain owned by the company. A warning to avoid downloading attachments is also included, reiterating that e-mails from OpenSea do not have attachments as a general rule.
Hyperlinks were also touched on – although OpenSea e-mails may include some, any link prompting a user to sign a wallet transaction should be assumed to be fraudulent.
In closing, OpenSea promises to update users about the situation whenever possible and requests that any phishing attempts be reported to their support team.