Largest NFT marketplace OpenSea suffers from a third-party data breach
The world’s largest NFT marketplace, OpenSea, warned of potential phishing attacks following a data breach from the email addresses of third-party vulnerable users.
Non-fungible tokens (NFTs) are digital property rights registered on the Ethereum blockchain. They apply to digital or artistic creations such as photos, videos or web content.
OpenSea is worth around $ 13 billion with about 1.5 million customers, according to Dune Analytics. Third-party data breaches can affect around 1.8 million newsletter subscribers and customers.
Third-party employees gained access to customer information in the OpenSea data breach
According to OpenSea, an employee of the email delivery company downloaded and shared email addresses with an unauthorized party.
“We recently learned that an employee of Customer.io, our email delivery provider, abused employees’ access to download and share email addresses with an unauthorized third party,” said OpenSea.
“We are working with Customer.io in their ongoing investigation, and we have reported this incident to the police,” OpenSea wrote on its website.
“If we believe your email address was compromised, you will receive an email from the domain ‘company tweeted on June 30, 2022.
The third party, Customer.io, added that it had revoked access privileges for the employee who shared OpenSea’s email addresses with the unauthorized party.
In addition, the unauthorized party did not gain access to other OpenSea customer information, and the data breach did not affect other companies.
OpenSea expects third-party data breaches to affect anyone who has shared their email addresses with the NFT market.
“If you have shared your email with OpenSea in the past, you should assume you were affected,” the NFT market warned.
According to the Verizon 2021 Data Breach Investigations Report, insider threats account for almost a quarter (22%) of all data breaches. Similarly, 51% of organizations have suffered from a third-party data breach, according to the Ponemon Institute.
“This case is unique in that it appears to be an intentional act by a malicious insider, rather than an inadvertent leak due to faulty procedures or an external attack by a hacker or hacker group,” said Adrien Gendre, Chief Tech and Product Officer at Vade.
“Third-party vendors pose a significant risk to businesses because you as a customer do not have control over your vendors’ security policies or controls,” Gendre added. “It would be interesting to know if the provider has a DLP system in place to prevent data from being illegally transferred outside the company, and if so, to find out why or how the data managed to be transferred to an unauthorized third party.
The NFT marketplace warns against phishing from fake domains and fraudsters
The NFT Marketplace warned users to avoid phishing emails from third parties or sent from counterfeit domains such as opensea.org, opensea.xyz, opensae.io, among others.
In addition, users of the NFT market should avoid downloading attachments from OpenSea emails or confirming passwords or passphrases via email.
In the same way, they should avoid signing transactions sent via email and transactions that come from outside the domain.
NFT and crypto marketplaces are lucrative targets for cyber attacks
The recent incident occurred on the heels of other data breaches targeting the NFT market.
In February, fraudsters stole NFTs worth $ 1.7 million through phishing, while hackers compromised a frequently used Discord bot in May 2022. Other crypto and NFT marketplaces have also become lucrative targets for attacks.
In May, Circle and BlockFi were subjected to cyber attacks via the content management system HubSpot while a fraudster stole $ 150,000 from the Fractal NFT market. Similarly, the Bored Ape Yacht Club lost $ 360,000 NFT in a phishing attack.
However, Ronin’s cyberattack is the mother of all crypto data breaches, with hackers stealing $ 625 million in March 2022. Cybercrime experts attributed the hacking to the North Korean hackers, the Lazarus group.
“NFTs are a great example of how ‘possession is nine tenths of a law’,” said Tim Prendergast, CEO of strongDM. “If you have NFT, then you have NFT. The same goes for access credentials – possession of credentials guarantees access.”
According to Javvad Malik, Security Awareness Advocate at KnowBe4, there was an observable increase in cryptocurrency attacks with social engineering as a popular tactic.
“Although the underlying blockchain technology is often secure, people still need to log in to services or their wallet with username and password,” Malik said. “These credentials can be stolen by a user through a phishing email, a form, an SMS or other forms of social engineering.”
Malik advises people to be vigilant, trust the right sources of information and avoid sharing credentials with third parties.
“They should navigate to websites directly and avoid clicking on links through unsolicited emails. Cold wallets should be used where possible and multifactor authentication should be enabled.”