- OpenSea’s email vendor has leaked the addresses of users and subscribers to the OpenSea newsletter.
- An employee of Customer.io has leaked addresses to an unauthorized third party.
- Users who have shared their email addresses with OpenSea in the past have been asked to be cautious of possible email phishing attempts.
At the beginning of the month, one major news that made headlines was, Former OpenSea Employee Charged For Committing Insider Trading in NFTs. Looks like the fate of the marketplace was destined to end on the same unpleasant note as it began.
An employee of Customer.io, OpenSea’s email delivery vendor, has misused their employee access to download and share email addresses with an unauthorized external party. Users who have shared their email with the marketplace in the past are impacted. Reporting the incident to law enforcement, OpenSea is working with Customer.io in their investigation.
An employee of our email vendor, https://t.co/6vM4WAcJal, misused their employee access to download & share email addresses with an unauthorized external party.— OpenSea (@opensea) June 30, 2022
Email addresses provided to OpenSea by users or newsletter subscribers were impacted.https://t.co/Osb6qqkqZZ
Since the data compromised has email addresses, email phishing attempts are quite possible. Users must remember that malicious actors may use a similar-looking email address as OpenSea’s official email domain, opensea.io (such as ‘opensea.org’ or some other variation).
Some of the major safety recommendations suggested by OpenSea are:
- OpenSea sends emails from their domain, opensea.io. Hence, any email that claims to be from OpenSea but has a different email domain should be ignored.
- Nothing should be downloaded from an OpenSea email because authentic emails neither have any attachment nor any link to download.
- The URL of any page linked in an OpenSea email must be checked. The marketplace includes hyperlinks to ’email.opensea.io’ URLs only. The spelling of opensea.io should be checked as well, as malicious actors shuffle letters to impersonate URLs.
- Passwords or secret wallet phrases are not meant to be shared or confirmed because OpenSea never asks users to do this.
- Wallet transactions prompted from an email should never be signed. OpenSea emails never contain links that ask the users to sign a wallet transaction. Wallet transactions that don’t list the origin of https://opensea.io must not be signed.
Any suspicious communication that appears to be from OpenSea should be immediately reported at support.opensea.io.Earlier, Today NFT News reported that OpenSea upgraded auto-hide function to combat fraudulent activities in response to phishing attacks that made users lose their valuable assets.