The popular musical instrument marketplace Reverb has suffered a data breach after an insecure database containing customer information was exposed online.
Reverb is the largest online marketplace for the sale of new, used and vintage musical instruments and equipment.
Today, Reverb customers began receiving data breach notifications stating that customer information was exposed, including customer names, addresses, phone numbers, and email addresses.
While the Reverb notification does not explain how they exposed the data, the security researcher Bob diachenko sheds some light on what happened.
Diachenko says he discovered a non-secure Elasticsearch server publicly exposed on the Internet that contained more than 5.6 million records.
Each record contained information about a particular listing on Reverb.com, including full name, email address, phone number, postal address, PayPal email, and listing / order information.
When Diachenko finds an insecure database, she always notifies the company to protect the database. After analyzing the data, he noticed many users with @ reverb.com email addresses and matched orders in the database with those on the site.
“To confirm my thinking, I ran a quick check and was able to find several details of high-profile sellers, including Black Sabbath’s Bill Ward, Smashing Pumpkins ‘Jimmy Chamberlin, Nine Inch Nails’ Alessandro Cortini, and more,” he explained. a report by Diachenko.
Diachenko told Bleeping Computer that by the time he confirmed that the database belonged to Reverb, the site had already secured the database.
What should Reverb customers do?
While the database was probably not protected for a short period, if a security researcher could find the database, so could a threat actor.
With this in mind, it is safe to assume that your data was exposed and to be on the lookout for possible phishing emails that use this information.
Since your passwords were not exposed in this violation, Reverb will not reset them. However, Reverb recommends that users routinely reset their passwords for added security.