As virtually all NFT investors do, if you have an OpenSea account then you likely had your email address leaked in late June due to a company-wide data breach.
This is not the first cyber-attack on the popular NFT marketplace but is yet another reminder to investors of the vulnerabilities of online Cryptocurrency and NFT trading.
On June 29th, OpenSea posted a statement to Twitter explaining that “[a]n employee of our email vendor, Customer.io, misused their employee access to download & share email addresses with an unauthorized external party.”
The post further states that “Email addresses provided to OpenSea were impacted.”
If your email is linked to an OpenSea account or you signed up for their newsletter, your email address was likely included in the data breach possibly along with your phone number.
As a result of the breach, leaked email addresses may be targeted by email phishing attacks. These attacks range from malicious links to attachments and more from accounts that may purport to be OpenSea. These scam accounts may possess addresses virtually identical to OpenSea’s but with slight variations.
One thing all investors should be conscious of is not to open any links in emails that you do not trust or expect. In the same vein, investors should not open unfamiliar attachments that were not expected from that sender.
Another attack vector investors should avoid is unfamiliar text messages with links as well as possible SMS two-factor authentication (“2FA”) authorization breaches. Investors can avoid these types of attacks by removal of SMS 2FA and replacement with authenticator tools such as Google Authenticators.
The emergence and growth of the Cryptocurrency and NFT markets brought investors complete custody of their assets, and with that self-custody came the responsibility to maintain the security of those assets.
Regarding Cryptocurrency, Coinbase’s recent 10-Q filing with the U.S. Securities and Exchange Commission (“SEC”) reminds investors that assets investors maintain on exchanges in their personal exchange accounts can be subject to bankruptcy proceedings. Those investors run the risk of being treated as “general unsecured creditors” in the event of that exchange’s bankruptcy.
This means that assets held on Coinbase by consumers may be paid to secured creditors of that exchange if Coinbase is unable to pay those debts in the event of bankruptcy.
That said, it is important to remember that all SEC-regulated exchanges are required to abide by current regulations such as quarterly 10-Q filings as well as the requirement that investors with assets on exchanges be treated as unsecured creditors.
While it is unlikely that widely used exchanges such as Coinbase will file for bankruptcy anytime soon, the company’s recent 10-Q filing reminds investors in more ways than one that ultimately the responsibility to secure their assets is their own.
Security Best Practices
So, what are the best ways that you can secure your Cryptocurrency and NFT assets?
The foremost security method for crypto and NFT assets held online is to move them offline to a hardware wallet. The hardware wallet password should be stored securely offline in addition to the recovery phrase assigned to that hardware wallet.
Both the password and recovery phrase should not be shared with anyone, nor should any company ever need such information.
Although the storage of assets on an offline hardware wallet is one of the best security methods for investors, it may provide a false sense of total security that their assets on hardware wallets are impenetrable.
In other words, many investors hold the false belief that if you have a hardware wallet then your assets must be safe regardless of the actions that that investor may take. That is not always necessarily the case, especially when your hardware wallet is connected online in order to interact with marketplaces and exchanges.
In situations in which your hardware wallet is connected online, be aware of which sites you allow connection to as well as the transactions you approve through your hardware wallet.
For instance, a mint site from which you plan to mint an NFT could be compromised by hackers. That same compromised mint site that requires your hardware wallet to be connected for the mint process could then provide the hackers with access to your wallet based on your approval of a malicious smart contract.
As a result, once a transaction is approved by a hardware wallet on a hacked mint site, hackers could send your assets from your wallet to another.
The contract shown before approval should always reflect the correct information on your hardware key, so, if you are unsure, do not permit the transaction to be processed. Once a smart contract is approved, access to your hardware wallet is provided based on the permission given.
Attacks on popular NFT marketplaces such as OpenSea will most likely continue to be attempted, so consistently maintain awareness of your asset security and ways that you can mitigate security risks.
If you are interested in reading more content, see the other posts on our page for more.