OpenSea, the world’s largest NFT marketplace, informed people on its email list that an employee of Customer.io (OpenSea’s bulk email vendor) gave the OpenSea email list to an outside party. OpenSea sent a note advising everyone on the list to beware of phishing schemes that are likely to ensue. Even if you didn’t get a note, beware of phishing schemes. No one is giving you a Kaiburr Crystal for free. (Ten points if you know what a Kaiburr Crystal is, BTW.)
Two things about this. 1) Although it made the headlines this morning, it is not news. There are only two kinds of companies: Those that have been hacked, and those that do not know they have been hacked. Getting hacked should not be news. 2) Technically, this wasn’t a hack. No one hacked into anyone’s account. A person of low ethical quality decided to perform a criminal act by copying and distributing information they had access to.
The lesson is clear. All the password protection and encryption in the world will not thwart or even slow down a motivated individual with unfettered access to sensitive information.
What to do: 1) Set your permissions according to need. 2) Severely punish people who don’t follow the permissions protocol by doing stuff like giving their assistant their master access password because they are too lazy to grant a one-time permission or follow the established security protocol. 3) Bond (insure) employees with access to sensitive information. 4) Have a business continuity and crisis management plan in place and make sure you do drills on a regular basis.
There are Web3 solutions for this kind of socially engineered attack, but they will require wide adoption of immutable, non-transferrable, smart contract-based IDs. With SSID (self sovereign identity) or DID (decentralized identity) in place, unique email addresses would be about as valuable as knowing an address from an old phone book. These Web3 concepts are being discussed daily, and I’m aware of dozens of excellent projects that are attempting to empower individuals to control their sensitive information. You can learn more about how the future may unfold by getting Web3 certified (for free) at Metacademy. I hope you’ll check it out.
Author’s note: This is not a sponsored post. I am the author of this article and it expresses my own opinions. I am not, nor is my company, receiving compensation for it.