• by Ray Schultz , Columnist, July 8, 2022

The data breach that exposed OpenSea email addresses was worse than realized, email delivery firm Customer.io reported on Friday. Email addresses from five other customers were supplied to the same external bad actor, the company revealed in a statement.  

“We know this was a result of the deliberate actions of a senior engineer who had an appropriate level of access to perform their duties, and provided these email addresses to the bad actor,” Customer.io explained. “This action was limited to this single employee.” 

It continued: “Despite the many precautions taken to protect our customer data, the employee’s role enabled specific access to these email addresses. This employee has been terminated, all access has been revoked and we have reported this employee to law enforcement.” 

Customer.io has not named the five clients, but says it has notified them. The aggregate size of the exposure was not known at deadline. 

Breaches of email vendors are rare, but they are not unheard of. In March, Mailchimp was hit by a data attack, resulting in data being exposed on cryptocurrency accounts, including the crypto-wallet provider Trezor.  

Mailchimp, now part of Intuit, found that a malicious actor had accessed “one of our internal tools used by customer-facing teams for customer support and account administration,” said Siobhan Smyth, Mailchimp’s CISO. 

This incident was “propagated by an external actor who conducted a successful social engineering attack on Mailchimp employees, resulting in employee credentials being compromised,” Smyth added.   

One critic blamed the OpenSea breach on lack of security at NFT firms. But the blame appears to reside with the fired Customer.io employee. 

Customer.io said it has taken the following measures:

• “Our intrusion detection system and immutable logging has been improved to provide more proactive notifications of data exfiltration."
• "Access to production systems and data stores has been further restricted."
• "All access and authorization keys for critical services were reviewed and rotated."
• "Access to the data in customer’s accounts by Customer.io employees is now opt-in as a setting (and turned off by default). Customers can now grant Customer.io’s support team access to their account for a limited time and only if they choose to."
• "If accessing a customer account, Customer.io staff can no longer export customer data."
• "We’re refreshing and will be retraining all staff on our security policies.”

Customer.io describes itself as an automated messaging platform that supports emails, push notifications and SMS communications. It lists such clients as Imax, Segment, The Know and Shutterstock, and its web site features recent case studies for such customers as Wedio and Mysa.