OpenSea, the popular NFT marketplace that hit a colossal $13 billion valuation in January, is warning users of email phishing after a data breach.
A staff at Customer.io, an email vendor contracted by OpenSea, misused their employee access to download and share email addresses of OpenSea’s users and newsletter subscribers with an unauthorized external party, the world’s largest NFT marketplace said Wednesday night.
The scale of the security breach appears massive. “If you have shared your email with OpenSea in the past, you should assume you were impacted,” the company said, adding that it’s working with Customer.io in an ongoing investigation and has reported the incident to law enforcement.
More than 1.8 million users have made at least one purchase through the Ethereum network on OpenSea, according to data collected by Dune Analytics, an open-source crypto analytics platform.
“We believe this resulted from the actions of an employee who had role-specific access privileges that were abused,” a spokesperson for Customer.io said to TechCrunch. “We do not believe any other clients’ data has been compromised, but we are continuing to investigate. The employee in question has had all access removed and has been suspended pending the conclusion of our investigation.”
Crypto startups have emerged as a target for cyberattacks as the industry sees explosive growth and money flooding in. Blockchain-based, decentralized networks promise to provide better security, but the average users today lean towards centralized services like OpenSea for their convenience.
Case in point, in March, a data breach at HubSpot, a customer relations management software firm, led to data breaches at BlockFi, Circle, and others. Fractal, an NFT platform started by Twitch co-founder Justin Kan, had a rocky debut in December after a scammer hacked the announcement bot to pocket $150,000.
One of the biggest crypto heists to date has been the $625 million theft from Ronin, a blockchain network connected to the play-to-earn game Axie Infinity.
Growing at a breakneck rate, self-proclaimed web3 platforms relying on centralized cloud services are subject to similar if not greater security risks as established web2 services, compared to those built on distributed ledger technologies like blockchain which is believed to be better at preventing cyberattacks.