Over 7 million OpenSea users are at risk after email addresses compromised in a 2022 data breach were recently made fully public.
According to blockchain security firm SlowMist’s chief information security officer, 23pds, the leaked data significantly increases the risk of phishing and other attacks. In a Jan. 13 X post, the security researcher alerted crypto community members that the compromised data had been disseminated multiple times before it was publicized.
23pds added that the leaked data includes email addresses belonging to prominent figures in the cryptocurrency industry, such as former Binance CEO Changpeng “CZ” Zhao, as well as well-known companies, key opinion leaders, and other influential individuals, warning that it poses additional risks to the privacy and asset security of the crypto industry in the future.
The email addresses in question were compromised in a June 2022 incident involving an employee of Customer.io, OpenSea’s email delivery vendor, who misused their access to download and share email addresses provided by OpenSea users and newsletter subscribers with an unauthorized external party.
At the time, the non-fungible token marketplace advised users to be on the lookout for phishing and impersonation attempts, warning against downloading attachments or signing wallet transactions from email links, adding that all official communication would come only from its ‘opensea.io’ domain.
As one of the largest NFT marketplaces, OpenSea users have been targeted by phishing scammers on several occasions.
Just months after the data leak, in December 2022, a blockchain security platform alerted users that attackers were using phishing websites to exploit OpenSea’s gasless transaction feature. Victims were tricked into signing unintelligible signature requests, which unknowingly authorized private sales or immediate transfers of valuable NFTs to the account of the attackers.
In November 2023, OpenSea developers were targeted by phishing campaigns, including fake developer account risk alerts, leading some experts to believe developer contact information may have been breached.
Similarly, in January 2024, scammers sent emails to OpenSea users promising an exclusive mint event for a limited edition NFT collaboration between Nike and RTFKT. The email claimed recipients were among 400 selected participants and included a link to “Mint RTFKT Now,” which reportedly directed victims to a malicious website designed to steal wallet information or funds.
Phishing scams remain a major threat for cryptocurrency enthusiasts due to the many forms they come in, making them difficult to trace and even harder to prevent effectively. Experts advise users to stay vigilant by verifying email sources, avoiding clicking on unknown links, enabling two-factor authentication, and never sharing private wallet keys or sensitive information online.