All users who shared their email address with NFT marketplace told: ‘Assume you were impacted’

OpenSea reveals NFT email breach, blames employee at third-party vendor

UPDATED OpenSea, the world’s largest non-fungible token (NFT) marketplace, has revealed that a rogue employee at a third-party vendor has shared its users email addresses with an unauthorized external entity.

“If you have shared your email with OpenSea in the past, you should assume you were impacted,” users were warned by OpenSea head of security Cory Hardman in a blog post on June 29.

The alleged culprit was employed by Customer.io, an automated messaging platform used by marketers to create and send emails, push notifications, and SMS messages.


Catch up with the latest blockchain security news


“We recently learned that an employee of Customer.io, our email delivery vendor, misused their employee access to download and share email addresses – provided by OpenSea users and subscribers to our newsletter – with an unauthorized external party,” said Hardman.

“We are working with Customer.io in their ongoing investigation, and we have reported this incident to law enforcement.”

Security improvements

Customer.io initially told The Daily Swig that “the employee in question has had all access removed and has been suspended pending the conclusion of our investigation”.

That investigation then unearthed further leaks, with Customer.io issuing a further statement on July 7 saying it had learned that the rogue employee had provided email addresses associated with five other customers “to the same external bad actor”.

It continued:


We know this was a result of the deliberate actions of a senior engineer who had an appropriate level of access to perform their duties, and provided these email addresses to the bad actor. This action was limited to this single employee.

Despite the many precautions taken to protect our customer data, the employee’s role enabled specific access to these email addresses. This employee has been terminated, all access has been revoked and we have reported this employee to law enforcement.

The protection of our customer’s data is our first priority and this employee’s actions let us all down. We have alerted the five other customers to this information and sincerely apologize to them.

Customer.io said that a comprehensive security review of access and security policies had already resulted in a number of changes.

These include intrusion detection and immutable logging improvements to provide more proactive notifications of data exfiltration, further restrictions on access to production systems and data stores, rotation of all access and authorization keys for critical services, and turning access to customer account data off by default.

Moreover, when permitted to access customer accounts, Customer.io staff can no longer export customer data.

The firm said it was also retraining all staff on security policies.

Finally, Customer.io said it did “not expect to learn [of] any additional information [being compromised] since this incident resulted from the actions of a single employee, who had legitimate access to these email addresses as part of the employee’s job”.

Phishing warning

Cory Hardman from OpenSea warned users of “a heightened likelihood for email phishing attempts”, and urged them to “be alert for any attempt to impersonate OpenSea” from email addresses that look “visually similar to our official email domain, ‘opensea.io’ (such as ‘opensea.org’ or some other variation).”

Moreover, continued Hardman, users should always scrutinize embedded hyperlinks before clicking, and never download attachments from emails purporting to be from OpenSea, or share passwords or secret wallet phrases, or sign wallet transactions, when prompted via email.

Over on Twitter, security researcher ‘CIA Officer’ advised users to be vigilant about the use phishing tool Email Appender, IP-loggers, and canary tokens.

“I strongly recommend checking email header, domain and disable ‘download remote content’, also do not forget about MFA [multi-factor authentication]!” they added.

Founded in in New York in 2017, OpenSea claims to be the world’s first as well as biggest marketplace focused on NFTs and crypto collectibles.


This article was updated on June 30 with comment from Customer.io, and then with an additional update from Customer.io on July 11


DON’T MISS Ready meal distributor Apetito restores ‘limited’ deliveries in UK following cyber-attack