One of the biggest non-fungible token NFT marketplaces, OpenSea (1), issued a warning to its users after learning that a Customer.io (2) employee had sent emails to an unauthorized external party.
Customer.io is a platform that manages email newsletters and campaigns for OpenSea. This breach affected all the users who ever gave their emails to the marketplace platform or for the newsletter. OpenSea also advised the users about possible phishing attempts.
OpenSea announced they have contacted law enforcement officials regarding the breach that occurred and a rightful investigation is in process.
OpenSea's discord server was breached in May (3), which resulted in widespread phishing attacks. User wallets were taken advantage of, which was considered a serious assault. The first attack was the most significant since it allowed criminals to sell NFTs without users' consent. The store was forced to accept a $1.8 million loss.
In March, Hubspot (4), a similar service provider to Customer.io, was hacked, which led to exposing users’ usernames, phone numbers, and emails on various platforms such as BlockFi (5), Swan Bitcoin (5), NYDIG (6), and Circle (7).
An employee of our email vendor, https://t.co/6vM4WAcJal, misused their employee access to download & share email addresses with an unauthorized external party.
— OpenSea (@opensea) June 30, 2022
Email addresses provided to OpenSea by users or newsletter subscribers were impacted.https://t.co/Osb6qqkqZZ
Bored Ape Yacht Club (BAYC) (8) also witnessed two hacks, the first on its Discord server and the other following its Instagram account.
While users have reported spam emails, calls, and texts via Twitter, OpenSea has also warned customers about hackers who may try to contact them via several sites similar to OpenSea.io or OpenSea.XYZ.
Try to ignore or block but do not open: Spam
The fact that the email delivery vendor’s main responsibility is not to leak out the email addresses of the users Even though the incident occurred, an investigation is underway; however, keep in mind that the data breach was on a large scale, as email addresses were affected, but no personal information was compromised.
But as this is related to crypto and NFTs and a major marketplace is involved, the users might start receiving spam emails impersonating OpenSea websites, luring them to install malware or ask for their crypto keys.
OpenSea's blog provides tips and prepares users for how hackers might try to invade their emails.
- Trusted emails only from the main domain "opensea.io"
- Do not download or install any attached links.
- Do not share your password or your wallet keys.
- Make sure you do not click on any URLs.
- Never sign wallet transactions over an email link.
The terms "crypto" or "NFT-based startups possessing digital assets" have been in style lately with the growing market and money flooding within the industry. Decentralized blockchain-based centers are promising to use because they provide better security, but many users prefer centralized services for convenience.
The history of attacks on OpenSea
OpenSea’s security has failed twice, with the first one being more major than the recent breach. The Discord server was hacked with a bot message that resembled YouTube (yoytubenft.art) and NFT collaboration and lured people to open the website, which was organized to gain access to users' crypto wallets.
They were offered and provided 100 NFTs with over 80% minted out, which led to users opening the link with zero clue of being hacked. A loss of around $20,000 occurred from the discord tragedy.
Although the very first attack on OpenSea did some major damage to the marketplace, It reported 250 NFTs that were stolen, which included tokens from the popular Bored Ape Yacht Club (9) and also Decentraland (10).
The phishing attack cost millions as the hackers optimized $1.7 million in Ether by selling stolen NFTs. It happened when OpenSea announced a new smart contract and recommended users switch from Ethereum Blockchain (11) to the other smart contract.
A week was set aside for inactive NFTs on OpenSea to vanish, and the stolen NFTs were all those who manually migrated to OpenSea.
Is it that easy to steal NFTs?
Scams are certainly not new, and many have lost their entire collection. In March 2021, Nifty Gateway (12) was hacked. Users did receive their money back but lost the NFTs they owned. The hackers reportedly sold all of the stolen NFTs on popular marketplaces.
Claiming the users didn’t have two-factor authentication, led to access and obtain the data with valid credentials, which also led to thousands of dollars worth of NFTs being lost by collectors whose digital wallets just disappeared.
These incidents only indicate one thing. Hackers deeply exploit loose security platforms. Hackers can easily access and get information if the user has digital assets stored on their computer.
Around $44.2 billion worth of cryptocurrency was transferred into two types of Ethereum smart contracts (13) that were connected to NFT marketplaces, and around $3 million was sent over forbidden addresses.
How can digital assets be kept safe?
Before giving out all their details, users must make sure the request is suspicious and then sign their wallets online. In the OpenSea attack, users signed somewhere, sometimes without even realizing what was going on.
OpenSea is one of the major marketplaces and there might be a possibility that no one saw this coming, but even a slight loss of security is enough for hackers to enter and demolish the entire system.
Hardware wallet:
It is certainly not safe to keep Bitcoin (14), Litecoin (15), or NFT assets you hold in a single wallet. Keeping their stores in a hardware wallet that has access to two-factor authentication will disconnect the private keys from the internet and save them from tricksters.
Fake mining and deadlinks:
When you attempt to mint your assets, fake websites duplicate every aspect of the real thing and wipe out your entire wallet. Do not open or even view shares, dead links, or market accounts that appear to be legitimate.
Sharing screen:
You might not notice and think that only real users are watching during a live session or stream where we forecast our NFTs while sharing a screen, but there is always one issue. Even screenshots cannot be trusted.
E-mails:
Fake emails with @gmail.com domains invite you to fill out the information, empty or even capture your wallet, and disappear with whatever you own. They also duplicate credentials like OpenSea and provide a shareable link that will eventually install the malware on your system if you open it. Simply ignore such emails and do not click on the offered link.
The NFT market skyrocketed and forecast a promising future and potential for digital creators. However, hackers have their eyes all around the web world.
Nevertheless, taking the right precautions will secure your digital assets and alert potential attackers to your plans.
