Reverb.com Disclosed Data Breach
Reverb is a popular marketplace for buying and selling musical instruments, even if they’re vintage. In a sudden intimation to its community, the platform on Monday started sending email notifications to its customers about a data breach incident it suffered this year. The notification said the customers’ information like their names, addresses, phone numbers, and email addresses were exposed through a database, which has been secured immediately after realizing. Assuring that no passwords or payment details are included in the breach, Reverb suggested customers update their passwords regularly as a good security practice.
— Bob Diachenko (@MayhemDayOne) April 23, 2021 While Reverb mentions no reason on how this had happened, Bob Diachenko, a security researcher, explained in his post as he discovered this even earlier. He pointed out an unsecured Elasticsearch database exposed to the internet containing 5.6 million records. Each record has a specific listing on the Reverb website, which includes the full name, email address, phone number, mailing address, PayPal email, and listing/order data. Also, he confirmed the data leak to be genuine after confirming with some users’ @reverb email addresses and real-life profiles. The database was secured even before he reported, so it should be safe now. But since it’s still a data breach and lets a security researcher access, assuming that threat actors may have accessed and staying vigilant about potential cyberattacks is recommended.