OpenSea’s third-party security breach leaves API users vulnerable
OpenSea has asked affected users to stop using their current API keys, which are set to expire by October 2, and replace them by new ones.
OpenSea, a prominent NFT marketplace, has issued a warning to a subset of its users, urging them to rotate their application programming interface (API) keys. The warning comes after a security breach involving a third-party vendor potentially left their keys exposed.
The company addressed the situation in an email sent to its customers, stating, “One of our vendors experienced a security incident that may have exposed information about your OpenSea API key.”
As of May 2023, OpenSea held the second-largest share of the non-fungible token (NFT) marketplace, accounting for 36.5% of trading volume. While OpenSea used to be the market leader, it trails behind Blur, which launched nearly a year ago and boasted 56.8% of the market in May 2023.
OpenSea has instructed affected users to promptly cease using their current API keys and replace them with new ones. These existing keys are set to expire on Monday, October 2, according to the email.
While OpenSea assured users that the security breach isn’t expected to have an “immediate effect” on their platform integrations, the company cautioned that unauthorized third-party access could potentially impact users’ allocated rate and usage limits. The company added, “The newly generated API keys will have the same permissions and rate limits as the expiring keys.”
OpenSea has not disclosed the exact number of users affected by the breach or whether any other data besides API keys may be at risk.
This security incident follows a similar breach involving Nansen, an on-chain analytics platform. Nansen disclosed that one of its third-party vendors had been compromised, leading to the exposure of users’ blockchain addresses, password hashes, and email addresses. Approximately 6.8% of Nansen’s user base was affected by the breach.
While OpenSea did not identify the affected vendor by name, Nansen indicated that the vendor is “used by many Fortune 500 companies.”
Notably, this isn’t the first time OpenSea has faced security challenges. Last year, the platform had customers’ email addresses leaked due to an employee’s error while working with its email delivery partner, Customer.io. Such email compromises are often exploited by attackers to execute phishing scams. Additionally, OpenSea’s Discord server was hacked in May 2022, with hackers promoting a fake NFT mint claiming to be in partnership with YouTube.