Over 7 Million OpenSea Emails Leaked Online: Crypto Users Warned of Renewed Phishing Threats

The cryptocurrency community is reeling from the resurfacing of a major 2022 OpenSea data breach, which has now resulted in over seven million email addresses being made fully public.

This disclosure, originally stemming from an employee of OpenSea’s email automation provider Customer.io, has reignited concerns about phishing attacks and data security risks across the crypto industry.

A Breach That Shook the NFT World

In June 2022, OpenSea, the world’s largest NFT marketplace, revealed that an employee of Customer.io exploited their access to download and share customer email addresses with an unauthorized third party.

Although OpenSea quickly alerted users about the breach and its potential impact, the dataset had been circulating in limited circles—until now.

On January 13, 2025, blockchain security firm SlowMist’s Chief Information Security Officer, known as 23pds, disclosed in a post on X, that the compromised data is now widely accessible to the public.

According to 23pds, this dataset includes not just email addresses of everyday users but also prominent figures, companies, and influencers in the crypto space, dramatically increasing the risk of phishing attacks.

“Previously, the data had not been widely shared. Now, all the leaked information is accessible to anyone, including malicious actors. This makes all affected individuals more vulnerable to phishing scams and fraud,” noted 23pds in a translated statement.

Phishing Scams on the Rise

The publicization of this breach underscores the persistent dangers of phishing scams, one of the most costly attack vectors in the cryptocurrency industry.

CertiK, a leading blockchain security firm, estimates that phishing attacks caused losses exceeding $1 billion in 2024, affecting high-profile platforms like Binance, Crypto.com, and eToro.

Phishing scams are a type of crypto scams designed to trick users into revealing sensitive information, such as wallet keys or login credentials, by posing as legitimate entities.

Scammers often employ sophisticated tactics, including fake exclusive NFT mint events, fraudulent email campaigns, and phishing websites exploiting features like gasless transactions.

Notably, OpenSea has faced multiple phishing-related incidents since the original data breach. These include scams targeting its developers and users, with attackers exploiting trust to steal valuable NFTs and private wallet information.

Mitigating the Threat

In light of this renewed threat, security experts are urging affected users to take immediate action. SlowMist’s 23pds recommends creating strong, unique passwords and using password managers for secure storage.

Two-factor authentication (2FA) is also highly encouraged, with a preference for authenticator apps over SMS-based methods.

Furthermore, users should remain cautious of unsolicited emails or messages urging immediate action and verify communication sources before clicking on links or sharing sensitive details. As OpenSea reiterated, official communication will always originate from its “opensea.io” domain.

The resurfaced breach serves as a stark reminder of the importance of robust data security measures in the ever-evolving crypto landscape.

With phishing scams continuing to target the industry, vigilance and proactive steps remain essential for safeguarding digital assets and personal information.