- A Customer.io employee shared email addresses with an unauthorized external party
- OpenSea warned users of fraudsters trying to impersonate the platform by using fake domain names
Collectibles platform OpenSea has alerted customers to a data breach after staff found email addresses were shared with an external party.
Head of Security Cory Hardman said in a blog post on Wednesday that an employee of Customer.io, OpenSea’s email delivery vendor, abused their access by downloading and externally sharing customer data.
“If you have shared your email with OpenSea in the past, you should assume you were impacted,” he wrote. “We are working with Customer.io in their ongoing investigation, and we have reported this incident to law enforcement.”
The company further warned customers might face phishing attacks — attempts by cybercriminals posing as credible institutions with an aim to obtain sensitive information — by using a domain name similar to the official “opensea.io,” such as “opensea.org” or “opensae.io.”
Customer.io didn’t immediately return Blockworks’ request for comment.
A similar incident occurred in March, when hackers breached third-party marketing vendor HubSpot to target large crypto stakeholders. NYDIG, Pantera Capital, BlockFi, Circle and Swan Bitcoin were among the affected companies.
OpenSea found itself in a sea of trouble thanks to another incident prior the data breach. The Department of Justice earlier this month indicted its former head of product, Nathaniel Chastain, with insider trading in connection to non-fungible tokens (NFTs). He was charged with one count of wire fraud and another count of money laundering.