Over 7 million email addresses compromised during a 2022 OpenSea email vendor breach have recently been fully publicized online, according to cybersecurity firm SlowMist. The data leak, which involved OpenSea’s email automation provider, Customer.io, now poses a heightened threat, enabling scammers and hackers to exploit the information for phishing and fraud.
Details of the Data Leak
SlowMist’s Chief Information Security Officer, “23pds,” highlighted the recent public dissemination of the leaked data in a January 13 post on X (formerly Twitter). The breach initially occurred in June 2022 when a Customer.io employee leaked OpenSea customer email addresses to an unauthorized third party.
At the time of the breach, OpenSea warned its customers, stating:
“If you have shared your email with OpenSea in the past, you should assume you were impacted. We are working with Customer.io in their ongoing investigation, and we have reported this incident to law enforcement.”
While the breach was disclosed in 2022, the full dataset had not been made publicly accessible until now. SlowMist reported that the leaked data includes not only general user emails but also those of prominent figures in the cryptocurrency and NFT industries, such as key opinion leaders (KOLs), companies, and high-profile practitioners.
Implications of the Leak
The now-public availability of the compromised data makes it easier for malicious actors to launch phishing attacks, scams, and other fraudulent schemes. Speaking with SlowMist, 23pds noted:
“Previously, it was not made public. Now all the leaked data has been made public in its entirety and is available to anyone who wants it.”
A screenshot shared by 23pds revealed a Telegram post from December 26 containing an attachment labeled “opensea.io_mail_list.rar,” which purportedly contains the email addresses of over 7 million users.
Preventing Phishing Attacks
To mitigate risks from the leaked email data, SlowMist has provided the following security recommendations:
- Use Strong, Unique Passwords: Avoid reusing passwords and store them securely with a password manager.
- Enable Two-Factor Authentication (2FA): Opt for an authenticator app rather than SMS-based 2FA for better security.
- Keep Software Updated: Ensure that all device software is up-to-date to patch known vulnerabilities.
Rising Threat of Phishing Scams
Phishing scams were among the most significant security threats in the cryptocurrency sector in 2024. According to blockchain security firm CertiK, phishing attacks resulted in over $1 billion in stolen digital assets across 296 reported incidents.
“Phishing was the most costly attack vector last year,” a CertiK spokesperson stated. “Our figures are conservative; the actual figure is higher when you consider unreported incidents and other types of phishing scams, like pig butchering.”
