NFT marketplace OpenSea has warned certain platform users to rotate the keys used for their APIs (application programming interfaces) after a third-party security breach left them vulnerable to attackers.
“One of our vendors experienced a security incident that may have exposed information about your OpenSea API key,” the company wrote in an email to customers.
As of May 2023, OpenSea ranked as the second largest NFT marketplace by trading volume (36.5%), second to Blur (56.8%), which launched nearly a year ago.
OpenSea instructed users to immediately “deprecate” usage of their current key and replace it with a new one, informing them that their current keys will expire on Monday, October 2.
While the exploit isn’t expected to have an “immediate effect” on users’ integration with the platform, OpenSea warned that third-party access could affect victims’ allocated rate and usage limits.
“The newly generated keys API keys will have the same permissions and rate limits as the expiring keys,” added OpenSea.
The platform did not reveal how many users were affected, or if other data besides API keys may be at risk.
The breach shortly follows a similar security breach at one of Nansen’s third-party vendors, exposing some users’ blockchain addresses, password hashes, and email addresses. The on-chain analytics platform said that 6.8% of its user base was affected.
While not naming names, Nansen said at the time that the vendor is “used by many Fortune 500 companies.”
In June of last year, OpenSea was among many crypto firms to see customers’ emails leaked to unauthorized parties following an employee’s blunder working with its email delivery partner, Customer.io. When crypto firms’ customer emails are compromised, attackers often use them to promote legitimate looking phishing scams to clients.
OpenSea also saw its Discord server hacked in May 2022, with hackers pushing a fake NFT mint claiming to be done in partnership with YouTube.