NFT giant OpenSea reports major email data breach

Update (July 8, 12:15 PM IST): Opensea vendor consumer.io revealed today that customer data of five other companies were also compromised. While the firm didn't name these clients, it said it has informed them about the data leak.

"After further investigating the compromised OpenSea email addresses incident, we have learned today that the email addresses from five other customers were also provided to the same external bad actor.

We know this was a result of the deliberate actions of a senior engineer who had an appropriate level of access to perform their duties, and provided these email addresses to the bad actor. This action was limited to this single employee," Consumer.io said in an email to TechCrunch.

It added that the responsible employee was terminated and reported to law enforcement. It's also revamping its security policies with steps like preventing authorized people from downloading customer data, and a toggle for companies to turn off giving end-user data access to employees — or enable it for a specific amount of time.

OpenSea, the popular NFT marketplace that hit a colossal $13 billion valuation in January, is warning users of email phishing after a data breach.

A staff member at Customer.io, an email vendor contracted by OpenSea, misused their employee access to download and share email addresses of OpenSea's users and newsletter subscribers with an unauthorized external party, the world's largest NFT marketplace said Wednesday night.

The scale of the security breach appears massive. "If you have shared your email with OpenSea in the past, you should assume you were impacted," the company said, adding that it's working with Customer.io in an ongoing investigation and has reported the incident to law enforcement.

More than 1.8 million users have made at least one purchase through the Ethereum network on OpenSea, according to data collected by Dune Analytics, an open source crypto analytics platform.

"We believe this resulted from the actions of an employee who had role-specific access privileges that were abused," a spokesperson for Customer.io said to TechCrunch. "We do not believe any other clients’ data has been compromised, but we are continuing to investigate. The employee in question has had all access removed and has been suspended pending the conclusion of our investigation."

Crypto startups have emerged as a target for cyberattacks as the industry sees explosive growth and money flooding in. Blockchain-based, decentralized networks promise to provide better security, but average users today lean toward centralized services like OpenSea for their convenience.

Case in point, in March, a data breach at HubSpot, a customer-relations management software firm, led to data breaches at BlockFi, Circle and others. Fractal, an NFT platform started by Twitch co-founder Justin Kan, had a rocky debut in December after a scammer hacked the announcement bot to pocket $150,000.

One of the biggest crypto heists to date has been the $625 million theft from Ronin, a blockchain network connected to the play-to-earn game Axie Infinity.

Growing at a breakneck rate, self-proclaimed web3 platforms relying on centralized cloud services are subject to similar if not greater security risks as established Web 2.0 services compared to those built on distributed ledger technologies like blockchain, which is believed to be better at preventing cyberattacks.

Updated with comment from Customer.io.

Subscribe to TechCrunch’s crypto newsletter "Chain Reaction" for news, funding updates and hot takes on the wild world of web3 -- and take a listen to our companion podcast!