NFT marketplace data leak leaves users vulnerable to phishing scams

OpenSea has disclosed that an employee of an email vendor, Customer.io, has leaked users’ email addresses to an unauthorised external party.

The world’s biggest NFT marketplace said it is cooperating with Customer.io and law enforcement to assist with the investigation.

“If you have shared your email with OpenSea in the past, you should assume you were impacted,” OpenSea head of security Cory Hardman said.

Hardman explained that since the data compromise included email addresses, there could be an increased likelihood of phishing attempts.

“Please be aware that malicious actors may try to contact you using an email address that looks visually similar to our official email domain, ‘opensea.io’ (such as ‘opensea.org’ or some other variation),” Hardman said.

Hardman recommended a few guidelines for users to prevent being victims of phishing attacks.

Users should never download attachments from OpenSea emails and must not share or confirm their passwords or secret wallet phrases.

Furthermore, users should always confirm that the URLs in OpenSea emails are legitimate, and they must never sign a wallet transaction prompted via an email.

Hardman advised OpenSea users to report fishy communications to support.opensea.io.

OpenSea users were the targets of multiple phishing attacks throughout the past year.

In late August 2021, scammers impersonating customer support on OpenSea’s official discord server hijacked users’ wallets.

The latest phishing attack campaign was conducted in February 2022 and involved attackers using fake listing migration emails to steal NFTs worth $2 million (32.7 million).

Now read: Shoprite customer data is being auctioned on the dark web