IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Reverb exposes 'millions' of customer records on unsecured server

Leaked records contained data including full names, email addresses, phone numbers and mailing addresses

Online musical instrument marketplace Reverb has warned customers of a data breach affecting the website and 5.6 million user records.

According to security researcher Bob Diachenko, he discovered an unsecured Elasticsearch server earlier this month containing over 5.6 million records. These records contained data about individual listings on Reverb, including full names, email addresses, phone numbers, mailing addresses, PayPal emails, and listing/order information.

“Upon closer inspection, I noticed that there are many 'test' emails coming from @reverb.com domain. I decided to verify shop slugs against real URLs on Reverb site and quickly confirmed the initial thought - it was all Reverb users’ data,” Diachenko said.

He then ran a quick check to see who the sellers were. He found the details of several high-profile sellers, including Bill Ward of Black Sabbath, Jimmy Chamberlin of Smashing Pumpkins, Alessandro Cortini of Nine Inch Nails, and more.

Reverb has started notifying customers that the breach exposed potentially sensitive information.

In an email to users, Reverb wrote: “We take our users’ privacy and security very seriously. Out of an abundance of caution, we wanted to inform you that Reverb recently became aware of an issue relating to user contact information.”

Related Resource

NETSCOUT threat intelligence report

Cyber crime: Exploiting a pandemic

Threat intelligence report - whitepaper from NETSCOUTDownload now

“At this time, we believe that contact information, including name, address, phone number, and email, was publicly accessible for a short period of time. We do not have reason to believe that any of this information has been misused, nor do we believe that password or payment information were involved.”

Paul Norris, senior systems engineer EMEA at Tripwire, told IT Pro that misconfigurations like these are becoming all too common.

“Exposing sensitive data doesn’t require a sophisticated vulnerability, and the rapid growth of cloud-based data storage has exposed weaknesses in processes that leave data available to anyone. A misconfigured database on an internal network might not be noticed, and if noticed might not go public, but the stakes are higher when your data storage is directly connected to the Internet,” he said.

“Organizations should identify processes for securely configuring all systems, including cloud-based storage, like Elasticsearch. Once a process is in place, the systems must be monitored for changes to their configurations.”

Sergio Loureiro, cloud security director at Outpost24, told IT Pro that everyone needs to be “playing from the same music sheet when it comes to security and with the countless possibilities of ‘quickly deploying a system in the cloud,’ security is -still- often overlooked by organizations.”

“As datasets grow to these sizes, the data is becoming increasingly valuable to businesses and in some cases even more valuable than money. Unfortunately, not everyone protects it like the valuable asset it is,” Loureiro said.

Featured Resources

Four strategies for building a hybrid workplace that works

All indications are that the future of work is hybrid, if it's not here already

Free webinar

The digital marketer’s guide to contextual insights and trends

How to use contextual intelligence to uncover new insights and inform strategies

Free Download

Ransomware and Microsoft 365 for business

What you need to know about reducing ransomware risk

Free Download

Building a modern strategy for analytics and machine learning success

Turning into business value

Free Download

Recommended

Deploying flexible data protection to support cloud workload placement
Whitepaper

Deploying flexible data protection to support cloud workload placement

10 Mar 2022
Ten ways to protect your company from the next big data breach
data breaches

Ten ways to protect your company from the next big data breach

18 Feb 2022
Europol ordered to delete huge cache of unlawfully stored data
data protection

Europol ordered to delete huge cache of unlawfully stored data

11 Jan 2022
Gumtree site code made personal data of users and sellers publicly accessible
data protection

Gumtree site code made personal data of users and sellers publicly accessible

16 Dec 2021

Most Popular

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack
hacking

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack

16 May 2022
Windows Server admins say latest Patch Tuesday broke authentication policies
Server & storage

Windows Server admins say latest Patch Tuesday broke authentication policies

12 May 2022
Microsoft to double salary budget to retain workers
Careers & training

Microsoft to double salary budget to retain workers

17 May 2022