SlowMist: OpenSea User Emails Leaked in 2022 Now Exposed to the Public

Over seven million email addresses that were compromised in a 2022 OpenSea email vendor leak have recently been exposed online, posing a significant threat for scammers, according to a warning from a SlowMist executive. In a post on X on January 13, SlowMist’s chief information security officer, “23pds,” stated, “Remember the attack on the OpenSea mail service provider in [2022] that led to the leakage of emails? The leaked email addresses have now been fully publicized after multiple disseminations.” Speaking to Cointelegraph, 23pds explained that although the attack occurred in June 2022, the data had not been made public until recently, allowing all groups of attackers to utilize the information for phishing and scamming purposes. 23pds shared a screenshot showing a Telegram message containing an attachment named “opensea.io_mail_list.rar,” which allegedly contains 7 million entries. According to 23pds, “The amount of leaked data reached 7 million, including a large number of email information of overseas cryptocurrency practitioners, including many well-known people, companies and key opinion leaders (KOLs) in the industry.” OpenSea, one of the world’s largest non-fungible token (NFT) marketplaces, initially warned its customers about the data leak on June 29, 2022, after discovering that an employee of Customer.io, its email automation platform, leaked the list of OpenSea customer emails to an external party. In order to prevent phishing scams, 23pds advised individuals who believe their email addresses were leaked to create strong and unique passwords, utilize a password manager, enable two-factor authentication (2FA) whenever possible (preferably using an authenticator app instead of SMS-based 2FA), and keep their device software up to date. Phishing scams were identified as one of the most significant security threats in 2024, with attackers managing to steal over $1 billion worth of digital assets from 296 incidents throughout the year, according to CertiK. A CertiK spokesperson previously stated, “Phishing was the most costly attack vector last year. Our figures are conservative; the actual figure is higher when you consider unreported incidents and other types of phishing scams like pig butchering.”