Millions of OpenSea user emails leaked in 2022 now fully public: SlowMist

Over seven million email addresses compromised in an OpenSea email vendor leak in 2022 have recently been “fully publicized” online — giving scammers a new treasure trove of information to work with, warns a SlowMist executive. 

“Remember the attack on the OpenSea mail service provider in [2022] that led to the leakage of emails? The leaked email addresses have now been fully publicized after multiple disseminations,” wrote SlowMist’s chief information security officer “23pds” in a Jan. 13 post on X. 

Speaking to Cointelegraph, 23pds explained that while the attack occurred in June 2022, the data had not been made public until recently, meaning “all groups of attackers can use this information to go phishing and scamming.”

“Previously, it was not made public. Now all the leaked data has been made public in its entirety and is available to anyone who wants it.”

23pds shared a screenshot with Cointelegraph showing a Telegram message with an attachment named “opensea.io_mail_list.rar,” which purportedly holds 7 million entries. 

“The amount of leaked data reached 7 million, including a large number of email information of overseas cryptocurrency practitioners, including many well-known people, companies and key opinion leaders (KOLs) in the industry,” said 23pds on X, originally written in Chinese.

OpenSea, one of the world’s largest non-fungible token (NFT) marketplaces, first warned customers of a data leak on June 29, 2022, after discovering that an employee of Customer.io — its email automation platform — leaked the list of OpenSea customer emails to an outside party. 

“If you have shared your email with OpenSea in the past, you should assume you were impacted. We are working with Customer.io in their ongoing investigation, and we have reported this incident to law enforcement,” it said at the time. 

Preventing phishing scams 

23pds advised those who believe their email was leaked to create strong and unique passwords and use a password manager to store them securely.

They advised the use of two-factor authentication (2FA) wherever possible, recommending an authenticator app over SMS-based 2FA, and said to keep device software updated.

Related: Offchain transaction validation could prevent 99% of crypto hacks, scams

Phishing scams were one of the most significant security threats of 2024, with attackers able to make off with over $1 billion of stolen digital assets from 296 incidents in the year, according to CertiK. 

“Phishing was the most costly attack vector last year,” a CertiK spokesperson previously told Cointelegraph. “Our figures are conservative, the actual figure is higher when you consider unreported incidents and other types of phishing scams like pig butchering.”

Magazine: Cypherpunk AI: Guide to uncensored, unbiased, anonymous AI in 2025