OpenSea, one of the world’s most popular marketplace for non-fungible tokens (NFTs), has been breached, with sensitive user data stolen.
The company confirmed the news in a notification email sent to affected parties, telling users one of its vendors experienced a security incident, “that may have exposed information about your OpenSea API key”.
“We do not expect this to have any immediate effect on your integration with our platform,” the company’s notification further states. “However your key could be used by external parties which will use its allocated rate limit.”
Missing details
To address the issue, OpenSea asked users to replace existing keys, which were set to expire on October 2 regardless.
Other details about the incident were not disclosed, so we don’t know who the threat actors were, or what their motives are. We also don’t know how many people were affected by the breach, or if any other sensitive information was taken in the process.
We asked OpenSea for more details and will provide updates if we hear back from the firm. We also asked if the company placed any additional safeguards to prevent similar incidents from happening again.
This is not the first time OpenSea has been hacked. In fact, there have been multiple such incidents. In April 2022, for example, hundreds of NFTs were stolen from the accounts of OpenSea users after a series of successful phishing attacks.
A list compiled by blockchain security company PeckShield suggests that more than 250 NFTs were stolen, including items from popular collections such as Bored Ape Yacht Club. Although some have since been recovered, wallet analysis shows the stolen tokens have earned the attacker roughly $1.7 million in sell-on value.
In July the same year, the company warned its users to be wary of potential phishing attacks, after a data breach exposed email addresses attached to user accounts.