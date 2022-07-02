OpenSea, which is the most popular of the NFT (Non fungible tokens) trading platforms, has warned its users that could be victims of email phishingsince data from the email addresses of all the people who have ever shared their mail with the platform have been leaked.

A member of staff at Customer.io, which is a contracted email provider for OpenSea, misused their employees’ access to download and share users’ email addresses and OpenSea newsletter subscribers with an unauthorized external party, OpenSea announced a few hours ago. The magnitude of the security breach appears to be massive.

Affected about 2 million people

“If you have shared your email with OpenSea in the past, you should assume that this affects you,” the company said.

We recently learned that an employee of Customer.io, our email service provider, misused your privileges to download and share addresses someone external and unauthorized”. These were all addresses provided by OpenSea users and subscribers to its newsletter. OpenSea has already reported the matter to the police.

The company has also explained that it is working with Customer.io on an ongoing investigation. According to data from Dune Analytics, more than 1.8 million users have made at least one purchase through OpenSea in its history. Y each and every one of these people could be victims of phishing.

For now, this employee no longer has access to the programs and is suspended from his job, until there is more information with the investigation.

This bizarre story bears a certain resemblance to another that we reported a few days ago: a worker from a Japanese company, subcontracted by the city council, saved all the information of each of the inhabitants of that city on a USB and then lost the USB in full drunkenness. Finally, the USB has been located, but it shows how a bad practice with private data, by just one personit can put us in danger.

How to protect yourself, according to OpenSea





OpenSea has already been the victim of other attacks in the past and also of misuse of the platform to inflate prices of certain NFTs and cheat other users. Even a flaw in the platform allowed scams of 1 million euros in total. A great challenge for the platform is to avoid plagiarism of works of art.

Now it gives recommendations on how to protect yourself from this latest leak. “Because the compromised data includes email addresses, there may be a higher probability of email phishing attempts” and, therefore, it is recommended to be very careful whenever users receive an email that seems to come from OpenSea.

Cybercriminals can try to get in touch using an email address that visually resembles the platform’s official email domain, which is ‘opensea.io’ (and they can send emails by putting a domain like ‘opensea.org’ or some other another variation).

“OpenSea will ONLY send you emails from the domain: ‘opensea.io’. Please do not accept no email claiming to be from OpenSea and not from this email domain,” they insist. Also, “never download anything from an OpenSea email. Authentic OpenSea emails do not include attachments or download requests.”

Also, you should never sign a requested wallet transaction directly from an email. Emails from OpenSea will never contain links that directly ask you to sign a wallet transaction.