Cyber Incident Victim: OpenSea
Date:
Jun 2022
Location:
United States of America
Summary
An employee of the email delivery vendor Customer.io misused their access to download and share email addresses of the platform's users and subscribers with an unauthorized external party. The platform learned of the breach, is cooperating with Customer.io's investigation, and has reported the incident to law enforcement.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On June 1, 2022, OpenSea published an update stating that it had learned of a security incident involving its email delivery vendor, Customer.io. According to the update, an employee of Customer.io misused their internal access to download email addresses that had been provided by OpenSea users and subscribers to the OpenSea newsletter. The employee then shared those email addresses with an unauthorized external party. OpenSea indicated that the discovery prompted an immediate internal review of the incident.

The compromised data consisted solely of email addresses; no other personal information such as passwords, wallet seed phrases, or transaction details was reported as exposed. OpenSea noted that anyone who had previously shared their email address with OpenSea should consider themselves potentially affected by the breach. The company explained that the exposure of email addresses could increase the likelihood of phishing attempts that impersonate OpenSea communications. OpenSea stated that it would continue to monitor for any misuse of the disclosed email addresses.
In response, OpenSea reported the incident to law enforcement and began cooperating with the ongoing investigation conducted by Customer.io. The company said it is working closely with the vendor to determine the full scope of the unauthorized access and to prevent similar incidents in the future. OpenSea also published a public blog post detailing the incident and provided a support channel at support.opensea.io for users to report any suspicious communications they receive. The update concluded by affirming OpenSea's commitment to user safety and its collaboration with authorities to address the breach.
