An employee working for OpenSea's email delivery vendor misused their customer data access to download and share email addresses with an "unauthorized external party," the NFT marketplace wrote in a company blog post Wednesday. The employee worked for Customer.io.
OpenSea said customers who have shared their emails in the past "should assume" they were affected and will receive an email from opensea.io with more information. Customer.io launched an investigation into the issue, and the incident was reported to law enforcement.
"Your trust and safety is a top priority," OpenSea wrote. "We wanted to share the information we have at this time, and let you know that we’ve reported the incident to law enforcement and are cooperating in their investigation."
It's unclear how many customers were affected, although some people tweeted that they had received an email from OpenSea notifying them that they were impacted. It's also unclear if the employee still works for Customer.io.
Customer.io said it took "immediate steps" to investigate as soon as it learned of the incident, including hiring a third-party forensic investigations team. The employee behind the incident was suspended and has had all access to email information removed.
"We are working closely with OpenSea and are reviewing exactly how these email addresses were compromised," a representative for Customer.io said in a statement. "We believe this resulted from the actions of an employee who had role-specific access privileges that were abused. We do not believe any other clients’ data has been compromised, but we are continuing to investigate."
Earlier this month, a former OpenSea product manager was charged with wire fraud and money laundering in the first-ever insider trading charge involving digital assets. The employee bought NFTs before they were publicly featured on OpenSea's site and sold them for two to five times the price of his original purchase.
This story was updated to include a statement from Customer.io sent after publication.