After further investigating the compromised OpenSea email addresses incident, we have learned today that the email addresses from five other customers were also provided to the same external bad actor.
We know this was a result of the deliberate actions of a senior engineer who had an appropriate level of access to perform their duties, and provided these email addresses to the bad actor. This action was limited to this single employee.
Despite the many precautions taken to protect our customer data, the employee’s role enabled specific access to these email addresses. This employee has been terminated, all access has been revoked and we have reported this employee to law enforcement.
The protection of our customer’s data is our first priority and this employee’s actions let us all down. We have alerted the five other customers to this information and sincerely apologize to them.
We launched a comprehensive security review of our access and security policies to prevent an insider threat from happening again and have already made the following changes:
We continue to review and audit our compliance policies and are committed to make further changes with high priority to ensure protection of customer data.
After consulting with our third party cyber investigations firm we have not found evidence of any other customers having had their email addresses compromised. We do not expect to learn any additional information since this incident resulted from the actions of a single employee, who had legitimate access to these email addresses as part of the employee’s job.