Over seven million email addresses that were compromised in a 2022 OpenSea email vendor leak have recently been made public, posing a new threat for scammers, according to a warning from a SlowMist executive.
In a post on X on January 13, SlowMist’s chief information security officer, “23pds,” wrote, “Remember the attack on the OpenSea mail service provider in [2022] that led to the leakage of emails? The leaked email addresses have now been fully publicized after multiple disseminations.”
In an interview with Cointelegraph, 23pds explained that although the attack took place in June 2022, the data had not been made public until recently, which means that “all groups of attackers can use this information to go phishing and scamming.”
“Previously, it was not made public. Now all the leaked data has been made public in its entirety and is available to anyone who wants it.”
23pds shared a screenshot with Cointelegraph, showing a Telegram message with an attachment named “opensea.io_mail_list.rar,” which allegedly contains 7 million entries.
“The amount of leaked data reached 7 million, including a large number of email information of overseas cryptocurrency practitioners, including many well-known people, companies, and key opinion leaders (KOLs) in the industry,” 23pds said on X, in a post originally written in Chinese.
OpenSea, one of the world’s largest non-fungible token (NFT) marketplaces, had initially alerted customers to the data leak on June 29, 2022, after discovering that an employee of Customer.io, its email automation platform, had leaked the list of OpenSea customer emails to an external party.
“If you have shared your email with OpenSea in the past, you should assume you were impacted. We are working with Customer.io in their ongoing investigation, and we have reported this incident to law enforcement,” OpenSea stated at the time.
To prevent phishing scams, 23pds advised individuals who believe their email addresses were leaked to create strong and unique passwords, use a password manager to securely store them, enable two-factor authentication (2FA) whenever possible (preferably using an authenticator app rather than SMS-based 2FA), and keep device software updated.
Phishing scams were a major security threat in 2024, with attackers managing to steal over $1 billion worth of digital assets in 296 incidents throughout the year, according to CertiK.
“Phishing was the most costly attack vector last year,” a CertiK spokesperson previously told Cointelegraph. “Our figures are conservative; the actual figure is higher when you consider unreported incidents and other types of phishing scams like pig butchering.”