Millions of OpenSea user emails were exposed after the marketplace’s automation vendor leaked them in mid-2022.
A SlowMist executive has cautioned that the recent “full publicization” of over seven million email addresses compromised in an OpenSea email vendor breach in 2022 has provided scammers with a new treasure trove of information.
“Do you recall the attack on the OpenSea mail service provider in [2022] that resulted in the leakage of emails?”
“The leaked email addresses have now been fully publicized after multiple dissemination,” wrote “23pds,” SlowMist’s chief information security officer, in a post on X on January 13.
In an interview with Cointelegraph, 23pds disclosed that the data had not been made public until recently, even though the attack took place in June 2022. Consequently, “all groups of attackers can use this information for phishing and scamming.”
“Previously, it was not made public. Now all the leaked data has been made public in its entirety and is available to anyone who wants it.”
A screenshot of a Telegram message with an attachment named “opensea.io_mail_list.rar” was shared by 23pds with Cointelegraph. The attachment is purportedly containing 7 million entries.
In a post initially written in Chinese, 23pds said on X that the amount of leaked data had reached 7 million.
This included a significant amount of email information from overseas cryptocurrency practitioners, including many well-known individuals, companies, and key opinion leaders (KOLs) in the industry.
On June 29, 2022, OpenSea, one of the world’s largest non-fungible token (NFT) marketplaces, issued its initial notification to customers regarding a data breach.
The company had discovered that an employee of Customer.io, its email automation platform, had disclosed the list of OpenSea customer emails to an external party.
“If you have previously shared your email with OpenSea, it is reasonable to assume that you were affected.”
“We have reported this incident to law enforcement and are currently collaborating with Customer.io in their ongoing investigation,” it stated.
Preventing Phishing Schemes
23pds recommended that individuals who suspect that their email has been compromised establish robust and distinctive passwords and utilize a password manager to safeguard them.
They recommended the use of an authenticator app over SMS-based 2FA and advised the use of two-factor authentication (2FA) whenever feasible. Additionally, they advised the maintenance of device software updates.
In 2024, phishing scams were one of the most significant security concerns, with attackers able to make off with over $1 billion of stolen digital assets from 296 incidents, according to CertiK.
“The most expensive attack vector last year was phishing,” a spokesperson for CertiK previously disclosed to Cointelegraph. “Our figures are conservative; the actual figure is higher when unreported incidents and other types of phishing scams, such as pig butchering, are taken into account.”
