Cyber Incident Victim: OpenSea

On or around June 1, 2022, OpenSea disclosed a security incident involving unauthorized access to user email addresses through a third-party vendor. The breach occurred when an employee of Customer.io, OpenSea’s email delivery provider, improperly used their access privileges to download and transfer email addresses belonging to OpenSea users and newsletter subscribers to an external unauthorized party. OpenSea confirmed that any individual who had previously shared their email address with the platform should consider their information compromised. The company initiated a coordinated response with Customer.io’s internal investigation team and formally reported the incident to law enforcement authorities. No evidence suggested compromise of OpenSea’s internal systems, wallets, or user passwords, as the incident was isolated to the vendor’s misuse of email data.

The primary impact centered on heightened risks of phishing attacks targeting affected users due to the exposure of email addresses. OpenSea warned that malicious actors could employ visually similar email domains—such as 'opensea.org' instead of the legitimate 'opensea.io'—to impersonate the platform. The company issued specific guidance to help users identify legitimate communications, clarifying that authentic OpenSea emails would exclusively originate from the 'opensea.io' domain, contain no attachments or download requests, and include hyperlinks only to 'email.opensea.io' subdomains. They emphasized that OpenSea would never solicit passwords, secret wallet phrases, or direct wallet transaction signatures via email. As part of their transparency measures, OpenSea directed users to report suspicious emails through their official support channel while continuing to cooperate with law enforcement’s investigation into the vendor employee’s actions.