OpenSea, the largest NFT marketplace by trading volume, suffered a data breach after an employee of Customer.io abused their access by leaking customer e-mails.
In a blog post on Thursday, the marketplace said that an employee of Customer.io “misused their employee access to download and share email addresses – provided by OpenSea users and subscribers to our newsletter – with an unauthorized external party,” adding that all customers should assume they have been impacted.
The company reported the attack to the relevant authorities, and further warned customers should expect phishing attacks by cybercriminals who might use a domain name similar to the official “opensea.io,” such as “opensea.org” or “opensae.io.”
OpenSea’s head of security Cory Hardman also recommends that customers check the URLs of pages linked in OpenSea emails, don’t download or open any email attachments, and not share their passwords or secret wallet phrases or sign wallet transactions if prompted directly via email.
If you see something out of place or would like to contribute to this story, check out our Ethics and Policy section.