OpenSea רעפּאָרץ דאַטאַ בריטש, וואָרנז קאַסטאַמערז פון מעגלעך פישינג פרווון

OpenSea – one of the most popular NFT-centric platforms – has reported a data breach affecting the personally-identifying information (PII) of customers subscribed to the company’s mailing list.

Lax External Security at Fault

The breach was not caused by OpenSea itself, the firm explained. Rather, it was due to an employee of Customer.io, a third-party platform hired by OpenSea to manage social media communications.

This is not the first time Customer Relationship Management (CRMs) platforms have proven to be a chink in the armor for crypto and NFT platforms. As recently as March, a similar CRM – Hubspot – was responsible for a nearly identical data breach affecting Circle, Swan Bitcoin, BlockFi, and NYDIG.

An Uptick in Phishing Attempts Expected

OpenSea officially מודיע the breach in a blog post published only a few hours ago. In the statement, the company warned users that the amount of data stolen is suspected to be rather large, advising them to be extra vigilant.

On Twitter, OpenSea customers are already reporting suspicious e-mails, phone calls, and messages directed at them, which are believed to be taking place due to info stolen by the Customer.io employee.

מיין אינפֿאָרמאַציע איז בריטשט דאַנק צו OpenSea און Customer io? האר דזשעעבוס העלפן מיר. איך איז געווען וואַנדערינג וואָס איך האט אַזוי פילע ספּאַמי טעקסץ, טעלעפאָן קאַללס און ימיילז לעצטנס. ?

— מצילמאזאטל (לבנה הירש)??️‍? (@TheAscendant3) יוני קסנומקס, קסנומקס

The spokesperson for OpenSea also confirmed that the team has already contacted the relevant legal authorities about the breach. Unlike recent exploits of blockchain-related platforms, this attack is centered on customer data – which, unlike tokens, are heavily protected by governments around the world.

"אויב איר האָט שערד דיין E- בריוו מיט OpenSea אין דער פאַרגאַנגענהייט, איר זאָל יבערנעמען אַז איר האָט ימפּאַקטיד. מיר ארבעטן מיט Customer.io אין זייער אָנגאָינג ויספאָרשונג, און מיר האָבן געמאלדן דעם אינצידענט צו געזעץ ענפאָרסמאַנט. ביטע בלייבן ווידזשאַלאַנט וועגן דיין E- בריוו פּראַקטיסיז, און זיין פלינק פֿאַר קיין פּרווון צו ימפּערסאַנייט OpenSea דורך E- בריוו.

OpenSea has already begun to send out e-mails to addresses confirmed to have been affected, briefly explaining how the breach came about and warning users to be on their guard.

OpenSea דאַטן בריטש. pic.twitter.com/FEtDKsoHje

- eric.eth (@econoar) יוני קסנומקס, קסנומקס

Several anti-phishing best practices are also touched on in the e-mail – along with a reminder that opensea.io is the only legitimate website domain owned by the company. A warning to avoid downloading attachments is also included, reiterating that e-mails from OpenSea do not have attachments as a general rule.

Hyperlinks were also touched on – although OpenSea e-mails may include some, any link prompting a user to sign a wallet transaction should be assumed to be fraudulent.

In closing, OpenSea promises to update users about the situation whenever possible and requests that any phishing attempts be reported to their support team.