In a blog post, OpenSea said it learned that an employee of Customer.io, its email delivery vendor, misused employee access to download and share email addresses – provided by OpenSea users and subscribers to its newsletter – with an unauthorised external party.
“If you have shared your email with OpenSea in the past, you should assume you were impacted. We are working with Customer.io in their ongoing investigation, and we have reported this incident to law enforcement,” the company said on Wednesday.
More than 1.8 million users have made at least one purchase through the Ethereum network on OpenSea, according to data by Dune Analytics.
OpenSea cautioned users to stay vigilant about their email practices, and be alert for any attempt to impersonate OpenSea via email.
“Because the data compromise included email addresses, there may be a heightened likelihood for email phishing attempts,” the company noted.
“Please be aware that malicious actors may try to contact you using an email address that looks visually similar to our official email domain, ‘opensea.io’ (such as ‘opensea.org’ or some other variation),” it added.
In February this year, OpenSea was hit by a phishing attack and at least 32 users had lost their valuable NFTs worth $1.7 million.
OpenSea Co-Founder and CEO, Devin Finzer acknowledged the phishing attack, confirming that at least 32 users lost NFTs.
The hack happened as OpenSea announced a new smart contract upgrade with a one-week deadline to delist inactive NFTs on the platform.