The security breach that rocked OpenSea in 2022 has taken a new turn as over seven million email addresses are now publicly available, according to SlowMist's Chief Information Security Officer, known as "23pds." This breach, initially reported in June 2022, involved a leak of user email addresses from OpenSea's email vendor, Customer(.)io.

The OpenSea Breach: A Timeline of Vulnerability

In June 2022, OpenSea was at the height of its success, with over 120 million monthly visitors and ranking among the top 400 global websites. During this time, an employee of Customer(.)io, the email automation provider, exploited their access to extract and share email addresses from OpenSea's user database with an unauthorized third party. 

The leak primarily targeted the platform's user base but also compromised prominent figures in the cryptocurrency sector, including Binance’s CEO Changpeng Zhao, leading firms, and industry influencers.

The Leak Now Fully Publicized

Cybersecurity expert 23pds confirmed on X (formerly Twitter) that the email addresses, including those of industry leaders, influencers, and traders, are now widely accessible. Given their visibility, these individuals are prime targets for phishing attacks, which can cause severe financial and reputational damage. 

This data release amplifies the risk for individuals already affected, making them vulnerable to phishing scams and other malicious activities. 23pds emphasized that these email addresses could now be used by bad actors to create convincing phishing attacks.

Phishing scams are already one of the most significant security threats in the crypto space. The compromised data makes it easier for scammers to send deceptive emails resembling legitimate communication from trusted entities like OpenSea. These emails often trick users into clicking malicious links, leading to stolen login credentials, digital assets, or even personal information.

Recommendations for Affected Users

SlowMist’s security expert advised all users whose email addresses were part of the breach to take immediate precautions. These include creating strong, unique passwords for their accounts and using a password manager to store them securely. The use of two-factor authentication (2FA) is also highly recommended, with a preference for authenticator apps over SMS-based 2FA due to their increased security.

Earlie, OpenSea also reinforced these security measures, reminding users to be cautious of emails that appear to come from unofficial OpenSea domains such as “opensae(.)io,” “opensea(.)org,” or “opensea(.)xyz.”

A Wake-up Call for Crypto Security

Phishing attacks, which result from such breaches, have become a significant problem, with over $1 billion in digital assets lost to these scams in 2024 alone. According to CertiK, over 250 breaches occurred in the first half of 2024, affecting major platforms such as Binance, Crypto.com, and eToro.

The breach also highlights the vulnerabilities present in third-party services used by crypto platforms. In case of OpenSea, Customer().io, a trusted partner for email automation, was the source of this leak, underlining the need for stronger security measures across all levels of a platform’s infrastructure, especially with sensitive user data.

It adds to a growing list of high-profile incidents, such as Ledger's 2020 breach, which exposed personal details of over 270,000 users.