OpenSea, the biggest player in the NFT world, is warning users to be vigilant against phishing attacks following the breach of its email database.
In an email obtained by Bleeping Computer, OpenSea’s Head of Security, Cory Hardman, blamed the incident on a rogue employee of Customer.io, its email delivery provider.
Hardman said the employee obtained the email addresses of registered OpenSea users and newsletter subscribers. The rogue insider subsequently shared the list with an unspecified, unauthorized third-party.
OpenSea did not provide details about the scope of the issue, however. In a blog post, Hartman warned: “If you have shared your email with OpenSea in the past, you should assume you were impacted.”
“Because the data compromise included email addresses, there may be a heightened likelihood for email phishing attempts,” he added.
The company is investigating the issue with Customer.io and has reported the issue to law enforcement.
It advises customers to be wary of emails sent from domains that mimics the official OpenSea domain.
Hardman also recommended users follow basic email security hygiene. This includes checking the URLs linked in OpenSea emails and not opening email attachments.
What are NFTs?
This is not the first security incident at OpenSea. The company, which dominates the fledgling NFT market, has been targeted by social engineering and phishing attacks in the past. In one heist, 32 OpenSea users lost the equivalent of $2 million in NFTs.
NFTs — or non-fungible tokens — are a type of digital asset that ascribes an element of uniqueness. Put simply: they’re an attempt to add an element of ownership to the ephemeral world of digital goods, where objects can be infinitely copied. They bring the tangible to the intangible.
Digital art is currently the prime focus of NFTs. The most immediately-recognizable examples include CryptoPunks, CryptoKitties, and Bored Ape Yacht Club.
As NFTs are inherently unique, they can theoretically hold value. Last September, the iconic auction house Christie’s, which typically deals in fine art and other tangible collectibles, announced it had sold over $100m in NFTs.
In March 2021, Christie’s facilitated the sale of Beeple’s ‘Everydays: The First 5,000 days” for a record $69m price. Another notable example is CryptoPunk #5822, which sold for $23.7m in February of this year.
A lucrative target for hackers
These high prices have made NFTs a prime target for hackers. Exacerbating things further, the crypto world’s decentralized nature makes it extremely difficult for former owners to recover their stolen property.
Last month, the actor Seth Green, best known for his work in Adult Swim’s Robot Chicken and Josh Whedon’s Buffy the Vampire Slayer, fell victim to one such attack. An unknown hacker obtained the actor’s Bored Ape #8298, dubbed Fred Simian, and sold it to a third-party for the equivalent of $197,000.
Green had intended to create a TV series based on Simian. His ownership of the IP (intellectual property) relied on his ownership of the underlying NFT itself.
“I bought that ape in July 2021, and have spent the last several months developing and exploiting the IP to make it into the star of this show,” said Green in an interview with Gary Vaynerchuck. “Days before he’s set to make his world debut, he’s literally kidnapped.”
Green later regained access to the NFT after paying the equivalent of $297,000 in ether to the buyer, known only as Mr Cheese. This netted the buyer a cool $100,000 profit.
NFTs are a highly speculative asset class. They are yet to demonstrate any utility, besides proving the ownership of digital goods. As such, they’re prone to the same volatile swings as established cryptocurrencies. The average NFT artwork price declined 70 percent between February and April.
As enthusiasm for NFTs fades, this downward spiral will only continue.
This fact is unlikely to dissuade Web3 die-hards, which see NFTs as an inevitable part of the future digital economy. But in the short-term, they remain a dubious (and unproven) investment.
Have any thoughts on this? Let us know down below in the comments or carry the discussion over to our Twitter or Facebook.