In a blog post published Wednesday, OpenSea said the issue was caused by an employee of Customer.io, which is OpenSea’s email delivery vendor.

OpenSea is a popular NFT marketplace that is the latest victim of a data breach. According to OpenSea’s blog post published Wednesday, the issue was caused by an employee of Customer.io, which is OpenSea’s email delivery vendor.

Reportedly, the employee misused their access to download/share email IDs of OpenSea users and the company’s newsletter subscribers with an unauthorized third party. The company claims it is in touch with Customer.io, and an investigation is underway. Law enforcement authorities have been informed about the incident.

Customer.io Response

A representative of Customer.io stated that the company believes that the employee had abused “role-specific access privileges,” however, they don’t believe any other data of their clients was compromised.

“The employee in question has had all-access removed and has been suspended pending the conclusion of our investigation.”

Customer.io

Data Breach Impact

This data breach’s impact is massive. As per data collected by an open-source crypto evaluation platform, Dune Analytics, around 1.8 million users made purchases via the Ethereum network on OpenSea.

The company explained that whoever shared an email address with the platform, even in the past, would be impacted. Unfortunately, an email delivery vendor could not secure the only thing they are supposed to protect, customers’ email addresses.

NFT Marketplace OpenSea Suffers Data Breach- Users' Email IDs Leaked
Emails sent by OpnSea.io to impacted customers (Screenshot via @Econoar/Twitter)

How to Stay Safe?

This data breach isn’t as devastating as some previous data breaches affecting other crypto startups since only email IDs were leaked. Still, because it is a crypto-related breach, every user of OpenSea becomes vulnerable to phishing emails.

OpenSea urges users to only open emails from the domain Opensea.io and not to download any attachments present in OpenSea email. Moreover, users must refrain from sharing secret wallet phrases or passwords with anyone.

“Please be aware that malicious actors may try to contact you using an email address that looks visually similar to our official email domain, ‘opensea.io’ (such as ‘opensea.org’ or some other variation).”

OpenSea

More NFT and Crypto Breaches