OpenSea discloses data breach, warns users of phishing attacks

OpenSea, the largest non-fungible token (NFT) marketplace, disclosed a data breach on Wednesday and warned users of phishing attacks that could target them in the coming days.

The online NFT marketplace says it has more than 600,000 users and a transaction volume that surpassed $20 billion.

The company's Head Of Security, Cory Hardman, said that an employee of Customer.io, the platform's email delivery vendor, downloaded email addresses belonging to OpenSea users and newsletter subscribers.

Since the emails stolen in the incident were also shared with an unauthorized external party, Hardman urged potentially affected users to be alert for phishing attempts impersonating OpenSea.

"If you have shared your email with OpenSea in the past, you should assume you were impacted. We are working with Customer.io in their ongoing investigation, and we have reported this incident to law enforcement," Hardman said.

"Because the data compromise included email addresses, there may be a heightened likelihood for email phishing attempts."

Phishing attack warning

Users were also told to look for emails sent from domains that malicious actors could use to spoof OpenSea's official email domain opensea.io.

Examples of domains that could be utilized in phishing attacks targeting OpenSea users include opensea.org, opensea.xyz, and opeansae.io.

Hardman also shared a set of safety recommendations that would help defend against phishing attempts advising them to be suspicious of any emails trying to impersonate OpenSea, not to download and open email attachments, and to check the URLs of pages linked in OpenSea emails.

Users are also urged never to share or confirm their passwords or secret wallet phrases and never to sign wallet transactions if prompted directly via email.

"We wanted to share the information we have at this time, and let you know that we've reported the incident to law enforcement and are cooperating in their investigation," Hardman added.

In the past, OpenSea users have been targeted by threat actors impersonating fake support staff and by a phishing attack that left more than a dozen users without hundreds of NFTs worth roughly $2 million.

In September, OpenSea also closed a bug that could let attackers empty OpenSea account owners' cryptocurrency wallets by luring them to click on malicious NFT art.

An OpenSea spokesperson was not immediately available for comment when contacted by BleepingComputer earlier today.