OpenSea has warned its users that they may be at risk to a scammer that has hacked the company from the inside.
The world’s largest NFT marketplace has taken to its blog to announce that an employee at Customer.io, which is the company’s email vendor, used their employee access to download and share email addresses from OpenSea users, along with any subscribers to the OpenSea newsletter. OpenSea has stated that an investigation has been launched into the matter and that law enforcement has already been contacted regarding the hack.
Since the hack was predominately email address-targeted, users should be very careful about being contacted via email by anyone who is stating they are an OpenSea employee. The NFT platform explains that the email address malicious actors will use will look very similar to the official email domain – ‘official email address domain = “opensea.io“. The platform stresses in its safety and recommendations that it will only ever contact users from the domain “opensea.io” and that any other variation of the email is illegitimate.
Furthermore, OpenSea recommends that users never download anything from an OpenSea email, as authentic OpenSea emails will never contain anything that is downloadable or any attachment files. While it may be obvious to some, never share any secret wallet phrases or passwords with anyone, even if they are saying they are an OpenSea employee.
“The disclosure of the email list certainly gives the attacker a solid base of active individuals from which to attempt to steal their NFTs and, likely, distribute malware. Individuals and companies who receive emails from OpenSea about new and ongoing activities should instead conduct these manually through the opensea.io website,” warns Karl Steinkamp, the director at Coalfire.
“The disclosure of the email list certainly gives the attacker a solid base of active individuals from which to attempt to steal their NFTs and, likely, distribute malware. Individuals and companies who receive emails from OpenSea about new and ongoing activities should instead conduct these manually through the opensea.io website,” warns Karl Steinkamp, the director at Coalfire.
Notably, users should never sign a wallet transaction via email. OpenSea states that its official emails will never contain links that prompt users to sign a wallet transaction. Stephen Banda, a senior manager at Lookout, a cybersecurity company, said that the internal hack was likely financially motivated as there is a very lucrative market for user data, especially cryptocurrency-based user data.
“There is a lucrative market for stolen information and credentials. In this case, 2 million email addresses of customers of the world’s biggest marketplace for NFTs will be highly attractive to bad actors looking to launch broad phishing attacks,” said Banda.
“There is a lucrative market for stolen information and credentials. In this case, 2 million email addresses of customers of the world’s biggest marketplace for NFTs will be highly attractive to bad actors looking to launch broad phishing attacks,” said Banda.
In other NFT news, the market has seemingly taken a sharp dive off a cliff, with even extremely popular projects such as Bored Apes being down as much as 30% in just 30 days.
Jak Connor
Jak joined the TweakTown team in 2017 and has since reviewed 100s of new tech products and kept us informed daily on the latest science and space news. Jak’s love for science, space, and technology, and, more specifically, PC gaming, began at 10 years old. It was the day his dad showed him how to play Age of Empires on an old Compaq PC. Ever since that day, Jak fell in love with games and the progression of the technology industry in all its forms. Instead of typical FPS, Jak holds a very special spot in his heart for RTS games.
