OpenSea, the largest NFT marketplace by trading volume, suffered a data breach in June 2022 when an employee at Customer.io, the company's third-party email delivery vendor, misused their internal access to download and share OpenSea's user email list with an unauthorized outside party. Customer.io confirmed the employee was a senior engineer, terminated them, and introduced additional security controls. The breach exposed approximately 6.9 million email addresses belonging to OpenSea users and newsletter subscribers. Although no wallet credentials, private keys, or transaction data were compromised, the exposed email addresses carry elevated risk for this particular user base. Because OpenSea is an NFT marketplace, anyone on its email list is likely associated with cryptocurrency holdings or digital asset activity. This makes affected individuals prime targets for phishing emails impersonating OpenSea, including fake messages referencing pending NFT sales, wallet alerts, or transaction confirmations designed to trick users into connecting their wallets to malicious sites. OpenSea notified affected users promptly and advised caution around suspicious emails. No class-action settlement or regulatory action specific to this breach has been publicly documented. Affected individuals should treat any email claiming to be from OpenSea with skepticism, avoid clicking links in those messages, and instead navigate directly to opensea.io to check account activity. The breach is a reminder that vendor access to sensitive customer data carries real risk even when a company's own systems are not directly attacked.

NFT marketplaces collect user accounts, wallet-linked records, emails, transaction activity, device metadata, and support interactions tied to digital asset trading and collection.

OpenSea has undergone significant restructuring as NFT market volumes collapsed from 2022 peak levels. The company reduced its workforce substantially in 2022 and 2023. It launched an updated platform — OpenSea 2.0 — in early 2024 as part of an effort to regain market position against competitors. The 2022 vendor breach remains the primary data security event associated with the platform.