If you’ve shared an email address with NFT marketplace OpenSea, you’ll probably start getting some phishy emails soon.
On Wednesday, OpenSea said that an employee of its email delivery vendor Customer.io has misused employee access to share email addresses with an “unauthorized third party.” These are addresses that OpenSea users and subscribers to the company’s newsletter shared with OpenSea.
“We are working with Customer.io in their ongoing investigation, and we have reported this incident to law enforcement,” the company said in a blog post.
Putting aside the fact that one of your email delivery vendor’s main jobs is not to leak user addresses around, this isn’t as horrible as some other data breaches, as only user email addresses were affected.
But since this is crypto, it’s near-certain that basically every OpenSea user will start receiving phishing emails, with the idea to impersonate OpenSea and get them to install malware or hand over their cryptocurrency private keys.
In its blog post, OpenSea is preparing users for this possibility with some tips on what types of phishing addresses they might see, and a list of precautions they should take, including only trusting emails that are coming from the domain “opensea.io,” never downloading any attachments in an OpenSea email, and never sharing passwords or secret wallet phrases with anyone. Users should also be wary of any URLs shared in an OpenSea email, and they should never sign wallet transactions prompted directly from an email.
This is far from the first security issue OpenSea has had in its history. In January, hackers exploited a vulnerability in order to sell users’ NFTs and keep the profit; in May, OpenSea’s Discord was hacked. And let’s not forget that an OpenSea employee was arrested for insider trading in June.