OpenSea, the largest nonfungible token (NFT) marketplace, this week announced that an employee of one of its email vendors, Customer.io, accessed and downloaded the company's email list. It added that anyone who has ever shared their email address with the platform in the past should assume they are impacted. 

OpenSea currently has nearly 2 million users. 

"Please be aware that malicious actors may try to contact you using an email address that looks visually similar to our official email domain, ‘opensea.io’ (such as ‘opensea.org’ or some other variation)," the company told its users in a statement about the data leak. 

Paul Laudanski, head of threat intelligence at email security company Tessian, notes that insider abuse is inherently difficult to discover and even more so when the individual is an authorized user. He advises all organizations to examine third-party risk management protocols and have a clear understanding of how and where data is stored.

“The data breach disclosed today is a stark reminder of the dangers of insider threats," he says. "In this case, an authorized user misused their employee access to download and share email addresses of OpenSea’s users and newsletter subscribers with an unauthorized external party."

The company is working with law enforcement to investigate the incident, according to the OpenSea statement.

Lucrative Dataset for Cybercrooks

Stephen Banda, a senior manager at Lookout, says the breach was most likely financially motivated, given that the OpenSea email list is a potentially lucrative dataset for cybercriminals.

"There is a lucrative market for stolen information and credentials.," he notes. "In this case, 2 million email addresses of customers of the world’s biggest marketplace for NFTs will be highly attractive to bad actors looking to launch broad phishing attacks."

It's also likely that attackers will use the email list to steal NFTs from unsuspecting OpenSea users, predicts Karl Steinkamp, director at Coalfire. 

"The disclosure of the email list certainly gives the attacker a solid base of active individuals from which to attempt to steal their NFTs and, likely, distribute malware," Steinkamp warns. "Individuals and companies who receive emails from OpenSea about new and ongoing activities should instead conduct these manually through the opensea.io website." 

As more businesses turn to NFTs for marketing and brand-awareness purposes, Laudanski says they should keep in mind that the OpenSea incident is part of a larger phenomenon of cybercriminals taking notice of the segment.

"Generally, we are seeing a trend emerge with attacks on crypto startups with hackers attempting to get transactions signed by wallet owners through fraudulent means," he notes. "Today’s announcement should serve as a wake-up call for all crypto startups to take audit of their security measures and practices and those of their third-party partners and outside vendors."