OpenSea NFT Marketplace Faces Insider Hack
OpenSea, the largest NFT (non-fungible token) marketplace, announced this week that an employee of one of the email providers, Customer.io, had access to and downloaded the company’s email list. It added that anyone who has ever shared their email address with the platform before should assume they are affected.
OpenSea currently has almost 2 million users.
“Please note that malicious actors may try to contact you using an email address that looks visually like our official email domain, ‘opensea.io’ (like ‘opensea.org’ or another variant),” said users in a statement about the data leak.
Paul Laudanski, head of threat intelligence at the e-mail security company Tessian, notes that inside abuse is inherently difficult to detect and even more so when the person is an authorized user. He advises all organizations to examine third-party risk management protocols and have a clear understanding of how and where data is stored.
“The data breach revealed today is a strong reminder of the dangers of insider threats,” he said. “In this case, an authorized user abused his employee’s access to download and share email addresses of OpenSea users and newsletter subscribers with an unauthorized third party.”
The company is working with police to investigate the incident, according to the OpenSea statement.
Lucrative data set for Cybercrooks
Stephen Banda, senior manager at Lookout, says the breach was most likely financially motivated, given that the OpenSea email list is a potentially lucrative data set for cybercriminals.
“It’s a lucrative market for stolen information and credentials,” he notes. “In this case, 2 million email addresses to customers in the world’s largest NFT marketplace will be very attractive to bad players who want to launch broad phishing attacks.”
It is also likely that attackers will use the email list to steal NFTs from unsuspecting OpenSea users, predicts Karl Steinkamp, director of Coalfire.
“The disclosure of the email list certainly gives the attacker a solid base of active individuals who may try to steal their NFTs and likely distribute malicious software,” warns Steinkamp. “Individuals and businesses that receive emails from OpenSea about new and ongoing activities should instead perform them manually through the opensea.io website.”
As more companies turn to NFTs for marketing and brand awareness, Laudanski says they should keep in mind that the OpenSea incident is part of a larger phenomenon with cybercriminals noticing the segment.
“In general, we see a trend emerging with attacks on crypto startups with hackers trying to get transactions signed by wallet owners through fraudulent means,” he notes. “Today’s announcement should serve as a wake-up call for all crypto startups to review their security measures and practices and those of their third-party partners and external vendors.”