NFT marketplace OpenSea is warning some platform users to rotate the keys used for their APIs (application programming interfaces) after a third-party security breach left them vulnerable of attackers.
“One of our vendors experienced a security incident that may have exposed information about their OpenSea API keys,” the company wrote in an email to customers.
As of May 2023, OpenSea ranks as the second largest NFT market by trading volume (36.5%), after Blur (56.8%), which was launched almost a year ago.
OpenSea instructed users to immediately “opt out” of the use of their current keys and replace them with new ones, notifying them that their keys will expire on Monday, October 2.
While the exploit is not expected to have an “immediate impact” on the integration of platform users, OpenSea warns that third-party access may affect the rate allocated to victims and usage limits. .
“Newly generated API keys have the same permissions and rate limits as expired keys,” OpenSea added.
The platform did not reveal how many users were affected or if data other than API keys could be at risk.
The security breach comes shortly after a similar security breach at one of Nansen’s third-party providers, which exposed the blockchain addresses, password hashes, and email addresses of some users. The on-chain analytics platform said 6.8% of its user base was affected.
Without naming names, Nansen said at the time that the vendor “is used by many Fortune 500 companies.”
In June last year, OpenSea was one of several cryptocurrency companies that saw customer emails leaked to unauthorized parties following an employee error when working with an email delivery partner. , Customer.io. When customer emails of cryptocurrency companies are compromised, attackers often use them to promote phishing scams that appear legitimate to customers.
OpenSea also saw its Discord server hacked in May 2022, with hackers promoting a fake NFT creation claiming to be made in collaboration with YouTube.