Recently, the NFT marketplace OpenSea issued a warning to users as well as those who subscribe to the company’s newsletter that an employee at OpenSea’s email delivery vendor, Customer.io, downloaded a file containing email addresses and shared it with an unauthorized party. In response, OpenSea is advising all potentially affected parties to be on the watch for upcoming phishing emails designed to get victims to provide their personal information.
If you believe you were affected by the OpenSea breach, it is essential you understand what is at risk and what you can do about it. To learn more about how to protect yourself from becoming a victim of fraud or identity theft and what your legal options are in the wake of the OpenSea data breach, please see our recent piece on the topic here.
Additional Information About the OpenSea Data Breach
According to the company’s news release, OpenSea recently learned that there was what appears to be an intentional leaking of email addresses at Customer.io, a third-party email vendor. Evidently, an employee at Customer.io “misused their employee access to download and share email addresses” with an unauthorized party outside of the organization.
In the wake of the breach, OpenSea advised all users of the platform, as well as anyone who subscribes to the OpenSea newsletter, to be careful of unauthorized emails that appear to come from OpenSea. The company provided several examples of potential domain names from which a phishing email may originate, such as opensea.org, opensae.io, and opensea.xyz. The domain name for OpenSea is opensea.io.
Founded in 2017 in New York, New York, OpenSea is an NFT (non-fungible token) marketplace that allows users to buy and sell NFTs at a fixed price or through an auction format. The company deals in all types of NFTs, including collectibles, gaming items, domain names, digital art, and other items backed by blockchain technology. OpenSea employs more than 200 people and generates approximately $42 million in annual revenue.
Preventing Phishing Attacks
While news of the OpenSea breach is limited, the company indicates that the data breach leaked users’ email addresses. While a leaked email address doesn’t necessarily present the same level of concern as leaked Social Security numbers or financial data, hackers who obtain compromised email addresses may use them in an email phishing attack.
Hackers orchestrate cyberattacks in a few different ways. Phishing attacks are one of the most common types of cyberattacks. In a phishing attack, the hacker sends a seemingly legitimate email requesting the recipient either provide their login credentials or click on a link. For example, hackers will often send the email under the guise that it’s from a business the potential victim has an account with, asking them to “reset” their password. If the victim responds, it gives the hacker access to the victim’s account. In some phishing attacks, hackers ask victims to click on a malicious link. By clicking on the link, the victim downloads malware onto their system, which can have various consequences, but generally involves giving the hacker access to the victim’s system. The information obtained through a phishing campaign can then be used to commit fraud or identity theft against the owner of the information.
Phishing attacks are very common. According to a 2021 study, U.S. employees get an average of 14 malicious emails per year. However, consumers are also frequently targeted directly. One study looking at 55 million emails found that over one percent of all emails were phishing attempts. Because these attacks are very well designed, many people fall for the hackers’ tricks. In fact, on average, 30% of all phishing emails are opened.
Given the frequency of email phishing attacks, it is imperative to stay alert when checking your email and double-check all email domains to ensure they are legitimate. Those who have questions about a recent phishing attempt should contact a data breach lawyer for assistance.