Reverb, a popular online marketplace for musical instruments, has suffered a data breach incident and is now notifying its users. According to it, a database containing the PII of its customers was leaked online for a while and secured immediately after realizing it. Reverb suggested customers’ change their passwords for good, as they regularly do for no reason mentioned how this had happened.
Reverb.com Disclosed Data Breach
Reverb is a popular marketplace for buying and selling musical instruments, even if they’re vintage. In a sudden intimation to its community, the platform on Monday started sending email notifications to its customers about a data breach incident it suffered this year.
The notification said the customers’ information like their names, addresses, phone numbers, and email addresses were exposed through a database, which has been secured immediately after realizing. Assuring that no passwords or payment details are included in the breach, Reverb suggested customers update their passwords regularly as a good security practice.
Just completed analysis of the samples: seems like it was data of 5.6M @reverb users exposed via unprotected ES cluster, incl: full name, email, postal address, phone, listing/order count, paypal email.. IP is down now. Not sure if cluster was managed by Reverb or someone else. pic.twitter.com/W7v2yKn0oR
— Bob Diachenko (@MayhemDayOne) April 23, 2021
While Reverb mentions no reason on how this had happened, Bob Diachenko, a security researcher, explained in his post as he discovered this even earlier. He pointed out an unsecured Elasticsearch database exposed to the internet containing 5.6 million records.
Each record has a specific listing on the Reverb website, which includes the full name, email address, phone number, mailing address, PayPal email, and listing/order data. Also, he confirmed the data leak to be genuine after confirming with some users’ @reverb email addresses and real-life profiles.
The database was secured even before he reported, so it should be safe now. But since it’s still a data breach and lets a security researcher access, assuming that threat actors may have accessed and staying vigilant about potential cyberattacks is recommended.