Opensea | Some users lost NFT collection - CEO denied it was internal error.

[noorman0]

Some collectors lost NFT items after Opensea asked them to migrate item lists to new smart contracts. The CEO explained that it was a phishing attack, not another exploit against smart contracts like before.

We are actively investigating rumors of an exploit associated with OpenSea related smart contracts. This appears to be a phishing attack originating outside of OpenSea's website. Do not click links outside of http://opensea.io.

Opensea's CTO also explained in detail the attack took place here.
Migration to new smart contracts is not without reason. Last January 25th, hackers discovered an opensea interface bug, exploited it, and caused user losses of at least $1 million ~ source

I think experiencing successive attacks is not a coincidence, considering that opensea is still ranked as the largest NFT marketplace they will always be a prime target for hackers. In your opinion, is it still safe enough to store NFT on that platform?

[1715277108]

1715277108

[1715277108]

1715277108

[1715277108]

1715277108

[1715277108]

1715277108

[XUR_TIP]

Then there is nothing wrong to start demanding for decentralized NFT platform, open sea is a centralized platform for NFT as we all know it so lets hope that another better open sea in defi style takes place, the problem with centralised platform is lack of better security and lack of responsibility just like how the CEO is denying everything.

[stomachgrowls]

Then there is nothing wrong to start demanding for decentralized NFT platform, open sea is a centralized platform for NFT as we all know it so lets hope that another better open sea in defi style takes place, the problem with centralised platform is lack of better security and lack of responsibility just like how the CEO is denying everything.

They wouldnt really tend to accept their mistakes and its true that when it comes to centralized platforms then it is really prone into this kind of situation speaking with security.

If they could prove out that its an internal error then there should be some sufficient proof and not just trying out to deny without having those proofs because if they dont
then we could already presume that something is happening.

Feel sorry for those users who had lost their collection.

[arwin100]

Some collectors lost NFT items after Opensea asked them to migrate item lists to new smart contracts. The CEO explained that it was a phishing attack, not another exploit against smart contracts like before.

We are actively investigating rumors of an exploit associated with OpenSea related smart contracts. This appears to be a phishing attack originating outside of OpenSea's website. Do not click links outside of http://opensea.io.

Opensea's CTO also explained in detail the attack took place here.
Migration to new smart contracts is not without reason. Last January 25th, hackers discovered an opensea interface bug, exploited it, and caused user losses of at least $1 million ~ source

I think experiencing successive attacks is not a coincidence, considering that opensea is still ranked as the largest NFT marketplace they will always be a prime target for hackers. In your opinion, is it still safe enough to store NFT on that platform?

If there's no major hacking happened to them I think we can still say that its good to save NFT on that platform and we must verify always what we are clicking over the net since there's always phising attack occur and might those users lost their piece got click the wrong one and just in act of denial towards what they encountered.

But since this incident happen to them we must take more precautionary measures to avoid getting compromised by the next attack happened to them.

[vv181]

I was dazzled to seek whether it was an internal error or the external factor that made the hack happen, I guess the things only some users are affected made me think it is a kind of phishing attack.

As far as my understanding it is indeed that some users are signing a message outside the original site, some may get the phishing site from an email, based on a few tweets that i saw on the referenced link. The things that the attacker contract was built many days ago, tell it a targeted attack that mainly deceive those who lack security understanding.

I believe their CTO's statements are decent enough to take a consideration:

6) Education on not sharing seed phrases or submitting unknown transactions has become more widespread in our space. However, signing off-chain messages requires equal consideration.

[AmoreJaz]

I was dazzled to seek whether it was an internal error or the external factor that made the hack happen, I guess the things only some users are affected made me think it is a kind of phishing attack.

As far as my understanding it is indeed that some users are signing a message outside the original site, some may get the phishing site from an email, based on a few tweets that i saw on the referenced link. The things that the attacker contract was built many days ago, tell it a targeted attack that mainly deceive those who lack security understanding.

I believe their CTO's statements are decent enough to take a consideration:

6) Education on not sharing seed phrases or submitting unknown transactions has become more widespread in our space. However, signing off-chain messages requires equal consideration.

this will be a lesson for those who really don't know much about security protocols. because a lot of them for sure who has items in OpenSea are not really very familiar with the schemes of hackers. so if those users press untrusted links not coming from opensea itself, they will indeed be vulnerable to hacking depending on the malware these hackers imbedded on their links..
also, a lot of them are also new in this blockchain tech market, so they are not aware of some tactics of these hackers.
but wondering if they lost those NFT collection, can these hackers sell it to the market? can they prove that they are the real owners of the items?

[vv181]

~snip
but wondering if they lost those NFT collection, can these hackers sell it to the market? can they prove that they are the real owners of the items?

The NFTs are now being owned by the attacker so yes they are able to claim the ownership of the token(NFTs). Opensea may choose to disclose those NFTs on their platform, I don't know for sure but I think if the interaction is happening within the underlying smart contract, yes, they may be able to sell it.

[carlfebz2]

I was dazzled to seek whether it was an internal error or the external factor that made the hack happen, I guess the things only some users are affected made me think it is a kind of phishing attack.

As far as my understanding it is indeed that some users are signing a message outside the original site, some may get the phishing site from an email, based on a few tweets that i saw on the referenced link. The things that the attacker contract was built many days ago, tell it a targeted attack that mainly deceive those who lack security understanding.

This is what im thinking for some possible phishing attempts even though it might sound that complicated but once you do really able to made those attempts which is really on external basis then it could be possibly

happen.Im not really that good on tracing out possible exploits but whats done is done which does proves out that it could really be that possible on having those incident.

Im aint sue of those lost NFT's could be taken back but knowing that everything do moves on contract then its hard to believe on.

[jrrsparkles]

Some collectors lost NFT items after Opensea asked them to migrate item lists to new smart contracts. The CEO explained that it was a phishing attack, not another exploit against smart contracts like before.

We are actively investigating rumors of an exploit associated with OpenSea related smart contracts. This appears to be a phishing attack originating outside of OpenSea's website. Do not click links outside of http://opensea.io.

Opensea's CTO also explained in detail the attack took place here.
Migration to new smart contracts is not without reason. Last January 25th, hackers discovered an opensea interface bug, exploited it, and caused user losses of at least $1 million ~ source

I think experiencing successive attacks is not a coincidence, considering that opensea is still ranked as the largest NFT marketplace they will always be a prime target for hackers. In your opinion, is it still safe enough to store NFT on that platform?

If the platform isn't capable of providing better security to the assets stored there then their reputation will be lost when Big hack attack against them, probably now they're sitting at the top but sooner they might be replaced by a platform which gives good security and its actually a good opportunity for developers to create a competitive platform against opensea.

[cryptoaddictchie]

The NFTs are now being owned by the attacker so yes they are able to claim the ownership of the token(NFTs). Opensea may choose to disclose those NFTs on their platform, I don't know for sure but I think if the interaction is happening within the underlying smart contract, yes, they may be able to sell it.

Yes attackers were able to sell it. Ive seen some transactions being done. This is so sad as the underyling smart contract can be compromised easily. Its not the first time opensea got attacked like this. Obviously they should refund those sold nft of some users who didnt make any action to make their nft got hacked cause the error happened by opensea lack of internal security parameter. Though their contract is audited they should add more extra layer since they know that nft trading is increasing now.

[doomloop]

I was dazzled to seek whether it was an internal error or the external factor that made the hack happen, I guess the things only some users are affected made me think it is a kind of phishing attack.

As far as my understanding it is indeed that some users are signing a message outside the original site, some may get the phishing site from an email, based on a few tweets that i saw on the referenced link. The things that the attacker contract was built many days ago, tell it a targeted attack that mainly deceive those who lack security understanding.

External mate. It was clearly said in the OP that hack happened outside the site. There are inside hacks that didn't affect all of the users but i think that is because the hackers are too picky and only hacks the account with huge balance. While phishing can only happen on some users because most users are very aware with this. They make sure that they bookmark the site and do regular checks of the URL is its still the correct one.

The email should be marked as spam if the email receive is not officially from opensea or maybe the user is just careless enough to not see the entire details of the email. This is not a problem of opensea.

[vv181]

I was dazzled to seek whether it was an internal error or the external factor that made the hack happen, I guess the things only some users are affected made me think it is a kind of phishing attack.

As far as my understanding it is indeed that some users are signing a message outside the original site, some may get the phishing site from an email, based on a few tweets that i saw on the referenced link. The things that the attacker contract was built many days ago, tell it a targeted attack that mainly deceive those who lack security understanding.

External mate. It was clearly said in the OP that hack happened outside the site. There are inside hacks that didn't affect all of the users but i think that is because the hackers are too picky and only hacks the account with huge balance. While phishing can only happen on some users because most users are very aware with this. They make sure that they bookmark the site and do regular checks of the URL is its still the correct one.

The email should be marked as spam if the email receive is not officially from opensea or maybe the user is just careless enough to not see the entire details of the email. This is not a problem of opensea.

I did say that the external factor plays its part.

It's not the matter of whether the account had a huge balance or not, the stolen assets have a similarity among all of them which has a valid signature in their account, it concludes that they are somehow signing a message outside of the legitimate site. Opensea stated that it's not an email-based attempt but as long as the hacker gains enough requirements to do the hack in any way, it's very likely they will obliterate all the compromised NFT.

[noorman0]

-snip-
The email should be marked as spam if the email receive is not officially from opensea or maybe the user is just careless enough to not see the entire details of the email. This is not a problem of opensea.

Unfortunately, Opensia is not very open about this even though many users ask about the phishing method if it doesn't come from the attacker's email or social media PM to the target. And what a user suspected was that the email actually came from the Opensea's official domain.

Just answer the question @opensea, is this email from your team or not?  How much “investigation” does that take?
~image

This is a good theory. I did get that email today. The link in that email is https://email.opensea.io
I did not click the link, but that is the only email I have received from opensea with a link.
The email was signed http://cio35690.opensea.io