An employee of Customer.io, an email vendor contracted by OpenSea, misused their access to download and share email addresses of the users of OpenSea and five other companies with an unauthorised external party.
Late last month OpenSea, the popular NFT marketplace, tweeted a warning for its users about possible email phishing after a data breach. OpenSea said that customers who have shared their emails in the past “should assume” they were affected and would receive an email from opensea.io with more information. It also added that Customer.io joined them in an investigation, and the incident was reported to law enforcement.
The scale of the security breach appeared massive even at the beginning, as there are more than 1.8 million users who have made at least one purchase on OpenSea, according to Dune Analytics data. Then Customer.io posted an update on their blog on July 7th saying that there were five other undisclosed customers that had their data compromised.
Basically, what happened was that a senior engineer at Customer.io downloaded the email database with customer information of 6 companies, OpenSea included, and provided it to a bad actor. Their investigation company also confirmed that there is no evidence that any other customers have had their email addresses compromised.
“Despite the many precautions taken to protect our customer data, the employee’s role enabled specific access to these email addresses. This employee has been terminated, all access has been revoked and we have reported this employee to law enforcement.”
Customer.io is now revamping its security policies to prevent insider threat with steps like improving their intrusion detection system and immutable logging; restricting access to production systems and data stores; reviewing and rotating authorisation keys for critical services; turning customers’ account access for support team into an opt-in setting and banning support staff from downloading any kind of data.
It seems that there are two main security threats for crypto companies right now: hackers and insiders. Recent months have seen one of the biggest crypto heists of all times when $625 million was stolen from Ronin, the blockchain network behind Axie Infinity P2E game. The above mentioned email data breach is definitely not the first case for OpenSea: in May several OpenSea’s Discord channels were hacked by a scammer promoting a fake project.
There is also a continuous threat posed by insiders who account for 20% of all security incidents according to the latest Verizon Data Breach Incident Report. Just as an example from the industry: in March, a data breach at HubSpot, a customer relations management software firm, affected BlockFi, Circle, etc. The company said that a bad actor had gained access to an employee account.
If insider breaches could be avoided by tightening up on security, hacks and scams would happen less often. Then users would prefer a blockchain-based, decentralised networks to centralised ones, like OpenSea, because of their convenience.