Third-party breach leaks OpenSea API key data

NFTs
(Image credit: Bored Ape)

OpenSea, one of the world’s most popular marketplace for non-fungible tokens (NFTs), has been breached, with sensitive user data stolen.

The company confirmed the news in a notification email sent to affected parties, telling users one of its vendors experienced a security incident, “that may have exposed information about your OpenSea API key”. 

“We do not expect this to have any immediate effect on your integration with our platform,” the company’s notification further states. “However your key could be used by external parties which will use its allocated rate limit.”

Missing details

To address the issue, OpenSea asked users to replace existing keys, which were set to expire on October 2 regardless.

Other details about the incident were not disclosed, so we don’t know who the threat actors were, or what their motives are. We also don’t know how many people were affected by the breach, or if any other sensitive information was taken in the process. 

This is not the first time OpenSea has been hacked. In fact, there have been multiple such incidents. In April 2022, for example, hundreds of NFTs were stolen from the accounts of OpenSea users after a series of successful phishing attacks. 

A list compiled by blockchain security company PeckShield suggests that more than 250 NFTs were stolen, including items from popular collections such as Bored Ape Yacht Club. Although some have since been recovered, wallet analysis shows the stolen tokens have earned the attacker roughly $1.7 million in sell-on value.

In July the same year, the company warned its users to be wary of potential phishing attacks, after a data breach exposed email addresses attached to user accounts.

UPDATE September 27 - Responding to our inquiry, an OpenSea spokesperson said that a third-party, and not the company itself, was breached, but would still not confirm how many people may have been affected.

"One of our third party vendors experienced a security incident that may have exposed information about OpenSea API keys," the statement reads. "The keys do not provide access to, or the ability to change, any OpenSea user information. Rather, they provide access to our public API with increased rate limits. Unauthorized use of an API key could mean a developer would not be able to enjoy their full rate limits. We notified developers to deprecate and replace their API key, so they could preserve their rate limits."

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.