The world’s largest NFT marketplace, OpenSea, has warned of possible phishing attacks after a third-party data breach exposed users’ email addresses.
Non-fungible tokens (NFTs) are digital property rights registered on the Ethereum blockchain. They apply to digital or artistic creations such as images, videos or online content.
OpenSea is worth around $13 billion with around 1.5 million customers, according to Dune Analytics. The third-party data breach could impact approximately 1.8 million newsletter subscribers and customers.
Third-party employee who accessed customer information in connection with the OpenSea data breach
According to OpenSea, an employee of its email delivery company uploaded and shared email addresses with an unauthorized party.
“We recently learned that an employee of Customer.io, our email delivery provider, abused their employees’ access to upload and share email addresses with an unauthorized external party,” said OpenSea.
“We are working with Customer.io in their ongoing investigation, and have reported this incident to law enforcement,” OpenSea wrote on its website.
“If we believe your email address has been affected, you will receive an email from the domain ‘http://opensea.io’,” the company tweeted on June 30, 2022.
The third party, Customer.io, added that it had revoked the access privileges of the employee who shared OpenSea email addresses with the unauthorized party.
Additionally, the unauthorized party did not access any other OpenSea customer information, and the data breach did not impact any other companies.
OpenSea anticipates that the third-party data breach impacted anyone who shared their email addresses with the NFT Marketplace.
“If you have shared your email with OpenSea in the past, you should assume that you have been impacted,” the NFT Market warned.
According to the Verizon 2021 Data Breach Investigations report, insider threats account for nearly a quarter (22%) of all data breaches. Similarly, 51% of organizations have experienced a data breach by a third party, according to the Ponemon Institute.
“This case is unique because it appears to be an intentional act by a malicious insider, rather than an accidental leak due to faulty procedures or an outside attack from a hacker or hacking group,” Adrien said. Gendre, Chief Tech and Product Officer at Vade. .
“Third-party vendors pose a significant risk to businesses because, as a customer, you have no control over your vendors’ security policies or controls,” Gendre added. “It would be interesting to know if the provider has implemented a DLP system to prevent illegal transmission of data outside the company, and if so, to know why or how the data managed to be transmitted to a unauthorized third party.
NFT Market warns of phishing from spoofed domains and imposters
The NFT Market has warned users to avoid phishing emails from third parties or sent from spoofed domains such as opensea.org, opensea.xyz, opensae.io, among others.
Additionally, NFT Marketplace users should avoid downloading attachments from OpenSea emails or confirming passwords or passphrases via email.
Similarly, they should avoid signing transactions sent via email and those originating from outside the https://opensea.io domain.
NFT and crypto marketplaces are lucrative targets for cyberattacks
The recent incident came on the heels of other data breaches targeting the NFT market.
In February, fraudsters stole $1.7 million worth of NFTs via phishing, while hackers compromised a commonly used Discord bot in May 2022. Other cryptos and NFT marketplaces have also become targets lucrative for attacks.
In May, Circle and BlockFi suffered cyberattacks via content management system HubSpot while a fraudster stole $150,000 from the Fractal NFT marketplace. Similarly, the Bored Ape Yacht Club lost $360,000 worth of NFTs in a phishing attack.
However, the Ronin cyberattack is the mother of all crypto data breaches, with hackers stealing $625 million as of March 2022. Cybercrime experts have attributed the data breach to North Korean hackers, the Lazarus Group.
“NFTs are a great example of how ‘possession is nine tenths of the law,'” said Tim Prendergast, CEO of strongDM. “If you have possession of the NFT, then you have possession of the NFT. The same goes for access credentials – possessing credentials guarantees access.
According to Javvad Malik, Security Awareness Advocate at KnowBe4, there has been an observable increase in cryptocurrency attacks with social engineering as a popular tactic.
“Although the underlying blockchain technology is often secure, people still need to log into services or their wallets with a username and password,” Malik said. “These credentials can be tricked by a user through a phishing email, form, SMS, or other forms of social engineering technique.”
Malik advises people to stay vigilant, trust appropriate sources of information, and avoid sharing identifying information with third parties.
“They should navigate directly to websites and avoid clicking on links through unsolicited emails. Cold wallets should be used whenever possible and multi-factor authentication should be enabled.