Nonfungible token marketplace OpenSea has suffered a data breach after an employee of a third-party contractor downloaded email addresses belonging to OpenSea users and newsletter subscribers.

The breach involved an employee of Customer.io downloading the email addresses and providing them to an unauthorized external party. Who the third party was or whether money was involved was not disclosed.

OpenSea is warning all customers who have previously shared their email addresses that they should assume they have been affected. “We are working with Customer.io in their ongoing investigation, and we have reported this incident to law enforcement,” OpenSea Head of Security Cory Hardman wrote in a blog post Wednesday.

The biggest concern with the email addresses in the wild is that they could be used in email phishing attempts. “Please be aware that malicious actors may try to contact you using an email address that looks visually similar to our official email domain, ‘opensea.io’ (such as ‘opensea.org’ or some other variation),” Hardman said.

Users are recommended to take safety precautions to prevent being tricked by phishing emails. Precautions include checking the domain the email was sent from, never downloading anything from an OpenSea email and checking the URL of any link in an OpenSea email. Customers are also warned never to share or confirm their passwords or secret wallet phrases and never sign a wallet transaction prompted directly from an email.

The theft of emails is not the first time OpenSea has faced security issues. A bug on OpenSea allowed hackers to steal more than $1 million in NFTs in January and $1.7 million more in NFTs was stolen through a phishing attack targeting OpenSea users in February.

“This case is unique because it appears to be an intentional act by a malicious insider, rather than an accidental leak due to faulty procedures or an outside attack from a hacker or hacking group,” Adrien Gendre, chief tech and product officer at AI-based email security company Vade Secure SASU, told SiliconANGLE today. “Third-party vendors pose a significant risk to businesses because, as a customer, you don’t have control over your vendors’ security policies or controls.”

Gendre warned that phishing attacks could be very difficult for end-users to identify, but most will have at least some indication that they are malicious, including the email address.

“Because of the increased risk to OpenSea users now and in the future, the best course of action is to refrain from navigating to OpenSea via email,” Gendre added. “If you receive an email claiming to be OpenSea and asking to log in to your account, don’t click on the link. Go directly to your account from your browser or app.”

Image: OpenSea