Leaks in the Web2 world were not disclosed to users and were covered up until a few years ago. New regulations have changed this. With the widespread adoption of laws such as data protection, companies that suffer attacks are now required to inform their customers. The situation is no different in the Web3 world. After all, people, servers, and vulnerabilities have largely remained the same.
OpenSea Leak
Compared to its glorious days in 2021, OpenSea has significantly weakened. Let’s hope this weakness has not compromised the platform’s security. An important warning that fuels this concern has emerged. NFT marketplace OpenSea mentioned in an email sent to some users that there may be a third-party API leak.
Officials suspect that users’ API keys may have been compromised and quickly requested their replacement. The company wrote that the leak incident is not expected to affect any program using OpenSea API keys, but they will be updated starting from October 2nd.
The email sent by the platform did not mention how many people were affected by this leak. The email came after crypto analytics firm Nansen announced yesterday that it had been hacked by third-party partners. In their announcement, Nansen stated that 6.8% of all users were affected by the incident. There is a possibility that both OpenSea and Nansen have suffered damage from the same partner.
Beware of API Leaks
API is a code communication structure. In the sense we need to know, it is a key that enables us to perform passwordless operations with platforms where we log in with passwords through code. Each platform has its own API structures, and developers can even develop their own API systems for platforms such as Facebook.
Let’s talk about a cryptocurrency exchange’s API key. This key allows you to perform operations as if you have logged into the system with your email and password through software. For example, you need to use an API for trading bots because buying and selling operations are done through APIs, and the bot cannot do it on your behalf without your key.
Therefore, users should treat these keys like passwords and protect them. For example, if you have created an API for a trading bot, you need to disable it when you are done. Additionally, you should set the API permissions correctly. Sharing keys with full transfer authority through third-party applications carries significant risks. We have seen many instances where keys with transfer authority or more restricted keys have been compromised through the hacking of trading bots, resulting in people losing millions of dollars.