NFT marketer OpenSea has suffered a data breach, exposing email addresses and other information.
Critics are saying this is an example of a lack of security at NFT firms. However, the episode did not result from a high-tech cyber attack, but from a more mundane cause.
“We recently learned that an employee of Customer.io, our email delivery vendor, misused their employee access to download and share email addresses – provided by OpenSea users and subscribers to our newsletter – with an unauthorized external party,” Cory Hardman states in the blog post.
Customer.io supports this account.
“We believe this resulted from the actions of an employee who had role-specific access privileges that were abused. We do not believe any other clients’ data has been compromised, but we are continuing to investigate,” the firm says in a statement.
It adds: “The employee in question has had all access removed and has been suspended pending the conclusion of our investigation. Additionally we are always working to improve our security and we have launched a comprehensive review of our access & compliance policies and will make adjustments where necessary.”
The firm has also hired a third-party forensic investigations firm.
TechCrunch estimates the possible exposure at 1.83 million email addresses.
One critic blames OpenSea, which he says suffered another breach earlier this year.
“This mass data breach highlights that OpenSea is not yet providing the security fundamentals that are essential for attracting more users,” says Kaleb Ells, analyst on the Thematic Team at analytics company GlobalData.
Ellis adds, “Although no NFTs were stolen, scammers could now use the exposed email addresses to trick OpenSea users into making transactions, comparable with hoax requests for bank transfers. Cybersecurity must be a key area of focus for NFT marketplaces over the next few years to gain consumer trust, which is vital for mainstream adoption.”
Meanwhile, OpenSea has sent an email to customers, warning them of the danger. Its blog says, “Please be aware that malicious actors may try to contact you using an email address that looks visually similar to our official email domain, ‘opensea.io’ (such as ‘opensea.org’ or some other variation).”