OpenSea is a U.S.-based online non-fungible token (NFT) marketplace. Founded by Devin Finzer and Alex Atallah in 2017, it thrives as a marketplace where NFTs can be sold directly at a fixed price, or through an auction.
Since 2021, following the significant boost in NFT usage, the company's revenue reached $95 million in February 2021 and $2.75 billion in September of that year.
By January 2022, the company had been valued at $13.3 billion.
Considered the largest non-fungible token marketplace, the company has a long list of customers who use its platform. And this time, someone stole all of those people's Email data, in order to sell them to third-party data brokers and those who wants to pay.
The news was announced in a blog post by OpenSea, which has sent a warning to its customers to watch for spam and phishing attacks.
After a thorough investigation, it was realized that it was an inside job.
According to the report, the person with high-privilege access, decided to steal the long list of OpenSea customers' emails, and sell them to an outside party.
The culprit was an employee of Customer.io, a platform dedicated to managing newsletters and customer emails.
OpenSea outsourced the job to Customer.io, before its staff realized that Customer.io employee is selling email data and reported it immediately.
OpenSea warned that anyone who has ever shared their email address with the platform in the past should assume they are impacted.
OpenSea currently has nearly 2 million users.
"Please be aware that malicious actors may try to contact you using an email address that looks visually similar to our official email domain, ‘opensea.io’ (such as ‘opensea.org’ or some other variation)," the company warned its users in a statement about the data leak.
OpeaSea also shared other safety recommendations.
For example, customers must never download anything from an OpenSea email, simply because authentic OpenSea emails do not include attachments or requests to download anything. Users must never share of confirm their passwords or secret wallet phrases, and to never sign a wallet transaction prompted directly via email.
1) We will ONLY send you emails from the domain ‘https://t.co/3qvMZjxmDB.’ Be aware of attempts to impersonate OpenSea through slight variations of our domain name, like below: pic.twitter.com/2tvgC6g3kD
— OpenSea (@opensea) June 30, 2022
"Your trust and safety is a top priority. We wanted to share the information we have at this time, and let you know that we’ve reported the incident to law enforcement and are cooperating in their investigation," the company said.
Data breaches like this keep happening because user data is expensive, and it has long been a commodity among hackers and scammers.
And considering the popularity of OpenSea in the NFT industry, in which it deals with items with a combined value worth billions of dollars, the demand for its user data in the black market should be high.
"We believe this resulted from the actions of an employee who had role-specific access privileges that were abused," said a spokesperson for Customer.io. "We do not believe any other clients’ data has been compromised, but we are continuing to investigate. The employee in question has had all access removed and has been suspended pending the conclusion of our investigation."
This isn't the first time OpenSea has to deal with security issue.
In the past, OpenSea users have been targeted by threat actors impersonating fake support staff and by a phishing attack that left more than a dozen users without hundreds of NFTs worth roughly $2 million.
In September, OpenSea also closed a bug that could let attackers empty OpenSea account owners' cryptocurrency wallets by luring them to click on malicious NFT art.
