By Cameron Abbott, Rob Pulham and Dadar Ahmadi-Pirshahid
OpenSea have reported a breach whereby email addresses registered with the site have been shared with an unauthorised third party.
For landlubbers, OpenSea is the world’s largest marketplace for non-fungible tokens (NFTs).
The Head of Security at OpenSea identified an employee of OpenSea’s third party email delivery vendor as the source of the breach. The employee reportedly misused their access privileges to download and share the list of the site’s registered email addresses with an external party.
People who have shared an email address with OpenSea, such as subscribers to the site’s newsletter, are warned to remain vigilant about attempts by malicious parties to impersonate communications from OpenSea.
OpenSea has dealt with several security incidents this year. Only a month ago, a former OpenSea product manager was arrested and is reportedly the first person to have been charged in connection with a digital asset insider trading scheme. The product manager’s responsibilities included deciding which NFTs would be featured on the site’s homepage, which he allegedly used for his own financial gain. When OpenSea had discovered his conduct in September 2021, OpenSea requested and accepted the product manager’s resignation. Immediately afterwards, OpenSea commissioned a third party review of the incident and implemented the review’s recommendations to strengthen their existing policies.
In May this year, OpenSea’s Discord server was hacked. Just a few months earlier, 254 NFTs valued at around $1.7million USD were stolen through what appear to have been phishing attacks. OpenSea has reportedly reimbursed the victims.
These incidences highlight the status of NFT marketplaces as high value targets for malicious actors and reveals that many of the security vulnerabilities faced in the ‘old’ world of cyber technology remain a threat in the new world of blockchain and NFTs.
Once again, these incidents serve as a reminder for organisations to develop effective cyber security risk management, which requires an approach that encompasses all security vulnerabilities and that includes mechanisms governing employee access and use of sensitive information.