Menu
Browse

Cyber Incident Victim: OpenSea

Date:

Jun 2022

Location:

United States of America

Summary

OpenSea disclosed that an employee of its email delivery vendor, Customer.io, improperly accessed and shared the email addresses of users and newsletter subscribers with an unauthorized external party. The company learned of the breach, reported the incident to law enforcement, and is cooperating with the ongoing investigation.

CIA Posture Motives Tactics, Techniques & Procedures
Available to members 1 motive 1 technique
Threat Actors Type Location
0 actors Available to members Available to members

Description

On June 1 2022 OpenSea published an update disclosing a security incident involving its email delivery vendor Customer.io. The company learned that an employee of Customer.io had misused their internal access to download and share email addresses that OpenSea had collected from users and newsletter subscribers with an unauthorized external party. OpenSea stated that anyone who had previously provided their email address to the service should assume they were affected by the breach. The compromised data consisted solely of email addresses; no passwords, wallet phrases, or other personal information were reported as exposed.

Cyber Incident Image

In response to the discovery OpenSea reported the incident to law enforcement and indicated that it is cooperating with the ongoing investigation conducted by Customer.io. The company said it is working closely with the vendor to understand the scope of the misuse and to address any security gaps that allowed the employee’s actions. OpenSea emphasized that it had notified the appropriate authorities and was providing assistance as required.

OpenSea noted that the exposure of email addresses could increase the likelihood of phishing attempts that impersonate the platform via email. The firm explained that malicious actors might use the obtained addresses to send messages that appear to originate from OpenSea but actually come from domains designed to resemble the official opensea.io address. The update concluded by reminding recipients that OpenSea would only send emails from the opensea.io domain and that legitimate communications would never contain attachments, requests to download files, or prompts to sign wallet transactions directly from email.

Sources
Sources available to members
1 source