Reverb, the largest online music marketplace in the world, has disclosed a data breach that has compromised its users’ personal information.
The company notified Reverb members as “an abundance of caution” to reassure them that the problem had been resolved promptly and a thorough investigation had been conducted.
Reverb urged members to update their passwords, although no payment records or passwords had been leaked and no indication that any of the data had been misused.
Volodymyr “Bob” Diachenko, a cybersecurity expert and owner of securitydiscovery.com, found millions of the company’s details online in an unencrypted Elasticsearch site.
On April 23, Diachenko posted specifics of the data breach on LinkedIn, revealing that 5.6 million Reverb.com information had been compromised, including listing and order details, phone numbers, full names, home addresses, email addresses, and PayPal email addresses.
On April 5, Diachenko discovered an unsecured records’ cache and had no idea who it belonged to. He said, “At first, it wasn’t immediately clear who owns this and what type of data it is, so I put it on a shelf—until now. Since the discovery, the IP with database was taken down.”
“Upon closer inspection, I noticed that there are many ‘test’ emails coming from @reverb.com domain. I decided to verify shop slugs against real URLs on Reverb site and quickly confirmed the initial thought—it was all Reverb users’ data,” Diachenko added.
The cyberattack at Reverb.com exposed data of high-profile musicians, including Alessandro Cortini of Nine Inch Nails, Bill Ward of Black Sabbath, and Jimmy Chamberlin of the Smashing Pumpkins.
According to the cybersecurity consultant, the data exposure could make Reverb.com members prone to cyber threats, such as phishing attacks via phone, text, or email.
“Scammers might pose as Reverb or an associated company in an attempt to persuade victims to divulge additional information such as account login credentials or payment details. The fact that customer shop IDs were exposed is troublesome as these can be used to make fraudulent correspondence look legitimate.”
He further said that hackers might compare data from this breach to data from other breaches to get enough information to create phishing operations “extra convincing.”
Based in Chicago, Illinois, Reverb is a medium for buying and selling musical instruments that may be new, used, or vintage. David Kalt, the owner of the Chicago Music Exchange, established the company in 2013, and it now has over 10 million visitors a month.