OpenSea Email Breach: This Is What You Got To do Next

Kazi Mahmood -

Following a data breach, OpenSea, a major NFT marketplace, is alerting customers to email phishing after email addresses were shared with an unauthorised third party.

The breach is by a worker at Customer.io, an email vendor hired by OpenSea, used employee access to download and distribute email addresses of OpenSea’s users and newsletter subscribers with an unauthorised third party. Basically, it is a haul of almost all emails registered with OpenSea.

The company has sent emails to subscribers telling them what to do next after this massive breach.

Guidelines from OpenSea

At this time, we believe that your email address may have been part of the customer.io data incident.

Please be extra cautious about email safety during this time. For reference, we’ve laid out some email safety best practices below. 

This is how attackers infiltrated a single server for months

 Safety Recommendations:

  1. Be cautious of phishing emails from addresses trying to impersonate OpenSea. OpenSea will ONLY send you emails from the domain: ‘opensea.io.’ Please do not engage with any email claiming to be from OpenSea that does not come from this email domain.  
  2. Never download anything from an OpenSea email. Authentic OpenSea emails do not include attachments or requests to download anything.  
  3. Check the URL of any page linked in an OpenSea email. We will only include hyperlinks to ‘email.opensea.io’ URLs. Make sure that ‘opensea.io’ is spelled correctly, as it’s common for malicious actors to impersonate URLs by shuffling letters.  
  4. Never share or confirm your passwords or secret wallet phrases. OpenSea will never prompt you to do this – in any format. 
  5. Never sign a wallet transaction prompted directly from an email. OpenSea emails will never contain links which directly prompt you to sign a wallet transaction. Never sign a wallet transaction that doesn’t list the origin of https://opensea.io if you were led there by email.

The company insists the clients trust and safety remains a top priority. “We wanted to share the information we have at this time. We’ve reported the incident to law enforcement and are cooperating with their investigation,” it says.