More than 7 million OpenSea users are at risk after email addresses compromised in a 2022 data breach were recently fully exposed.
According to the chief information security officer of blockchain security firm SlowMist, 23pds, the leaked data significantly increases the risk of phishing and other attacks. In an X of January 13 afterthe security researcher warned members of the crypto community that the compromised data had been distributed multiple times before being made public.
23pds added that the leaked data includes email addresses of prominent figures in the cryptocurrency industry, such as former Binance CEO Changpeng “CZ” Zhao, as well as well-known companies, key opinion leaders and other influential individuals, warning that this poses additional risks to the privacy and asset security of the crypto industry in the future.
The email addresses in question have been compromised in a June 2022 incident involving an employee of OpenSea’s email delivery provider, Customer.io, who misused his access to download and share email addresses of OpenSea users and newsletter subscribers with an unauthorized third party.
At the time, the non-fungible token marketplace advised users to be wary of phishing and impersonation attempts, warning against downloading attachments or signing wallet transactions via email links, adding that all official communications would only come from ‘ opensea.io’. domain.
As one of the largest NFT marketplaces, OpenSea users have been targeted by phishing scammers several times.
Just months after the data breach, in December 2022, a blockchain security platform warned users that attackers were using phishing websites to abuse OpenSea’s gasless transaction feature. Victims were tricked into signing incomprehensible signature requests, unknowingly allowing private sales or immediate transfers of valuable NFTs to the attackers’ accounts.
In November 2023, OpenSea developers were targeted by phishing campaigns, including fake risk alerts for developer accounts, leading some experts to believe that developers’ contact information may have been leaked.
Similarly, in January 2024, scammers sent emails to OpenSea users promising an exclusive coin event for a limited-edition NFT collaboration between Nike and RTFKT. The email claimed that the recipients were among 400 selected participants and included a link to “Mint RTFKT Now,” which allegedly directed victims to a malicious website designed to steal wallet information or money.
Phishing scams remain a major threat to cryptocurrency enthusiasts due to the many forms they take, making them difficult to track and even harder to prevent. Experts advise users to remain vigilant by verifying email sources, avoiding clicking on unknown links, enabling two-factor authentication, and never sharing private wallet keys or sensitive information online.
