Celsius mailing list stolen in OpenSea breach
Important takeaways
- Celsius reported today that a Customer.io employee breached the list of user email addresses last month.
- OpenSea was the first target of this breach; However, further investigation has found that other companies were also affected.
- The incident comes at a difficult time for Celsius, which recently suspended user withdrawals and filed for bankruptcy.
Share this article
Celsius said today that a list of client email addresses was leaked through its automated messaging platform Customer.io.
Customer.io Leak Celsius mailing list
A Customer.io employee has leaked a list of email addresses belonging to Celsius customers.
Today, Celsius sent an email to its users indicating that “one of [Customer.io’s] employee gained access to a list of Celsius client email addresses.” The employee then forwarded those addresses to an unnamed malicious third party.
The beleaguered crypto lender stated that the addresses had been kept in Customer.io’s records for marketing purposes and that user accounts were not directly breached. Celsius also said the incident did not “pose a high risk to our clients” and that while it had yet to see proper evidence of the breach, it had chosen to bring it to users’ attention.
According to Celsius, the data breach is part of the same attack that leaked user email addresses linked to NFT marketplace OpenSea in late June. At the time, Celsius had been told that none of the data had been compromised. However, as a precaution, it removed all data from Customer.io and then attempted to confirm that the information had indeed been deleted from the platform.
Nevertheless, on July 8, Customer.io notified Celsius that, upon further investigation, it had determined that one of its employees did in fact have access to the list of user email addresses. Customer.io said today that five companies other than OpenSea were targeted in the breach. Unstoppable Domains seems to be one of them.
In response, Customer.io said the employee responsible for the breach has been terminated and reported to the police.
While the theft of email addresses is not uncommon, the incident comes at an unfortunate time for Celsius. The firm, which has suffered a liquidity crisis it claims was prompted by “extreme market conditions”, suspended user withdrawals in June and is now engaged in bankruptcy proceedings.
Disclosure: At the time of writing, the author of this piece owned BTC, ETH and other cryptocurrencies.