Over seven million email addresses that were compromised in a 2022 OpenSea email vendor leak have recently been “fully publicized” online, according to a warning from a SlowMist executive. The leaked email addresses can now be accessed by scammers, providing them with a new source of information to carry out their fraudulent activities.
In a post on X dated January 13, SlowMist’s chief information security officer, known as “23pds,” wrote, “Remember the attack on the OpenSea mail service provider in [2022] that led to the leakage of emails? The leaked email addresses have now been fully publicized after multiple disseminations.” Speaking to Cointelegraph, 23pds explained that although the attack took place in June 2022, the data had only recently become public, allowing all groups of attackers to use the information for phishing and scamming purposes. “Previously, it was not made public. Now all the leaked data has been made public in its entirety and is available to anyone who wants it.” 23pds shared a screenshot of a Telegram message with Cointelegraph, which contained an attachment named “opensea.io_mail_list.rar” and allegedly contained 7 million entries.
“The amount of leaked data reached 7 million, including a large number of email information of overseas cryptocurrency practitioners, including many well-known people, companies, and key opinion leaders (KOLs) in the industry,” 23pds said in a post on X that was originally written in Chinese.
OpenSea, one of the world’s largest non-fungible token (NFT) marketplaces, initially warned customers about the data leak on June 29, 2022. The leak occurred when an employee of Customer.io, OpenSea’s email automation platform, leaked the list of OpenSea customer emails to an external party. “If you have shared your email with OpenSea in the past, you should assume you were impacted. We are working with Customer.io in their ongoing investigation, and we have reported this incident to law enforcement,” OpenSea stated at the time.
To prevent phishing scams, 23pds advised individuals who believe their email was leaked to create strong and unique passwords and use a password manager to securely store them. They also recommended using two-factor authentication (2FA) whenever possible, suggesting the use of an authenticator app instead of SMS-based 2FA, and emphasized the importance of keeping device software updated.
According to CertiK, phishing scams were one of the most significant security threats in 2024, resulting in attackers stealing over $1 billion worth of digital assets in 296 incidents throughout the year. “Phishing was the most costly attack vector last year,” a CertiK spokesperson previously informed Cointelegraph. “Our figures are conservative, and the actual figure is higher when you consider unreported incidents and other types of phishing scams like pig butchering.”