Reverb exposes 'millions' of customer records on unsecured server
Leaked records contained data including full names, email addresses, phone numbers and mailing addresses


Online musical instrument marketplace Reverb has warned customers of a data breach affecting the website and 5.6 million user records.
According to security researcher Bob Diachenko, he discovered an unsecured Elasticsearch server earlier this month containing over 5.6 million records. These records contained data about individual listings on Reverb, including full names, email addresses, phone numbers, mailing addresses, PayPal emails, and listing/order information.
“Upon closer inspection, I noticed that there are many 'test' emails coming from @reverb.com domain. I decided to verify shop slugs against real URLs on Reverb site and quickly confirmed the initial thought - it was all Reverb users’ data,” Diachenko said.
He then ran a quick check to see who the sellers were. He found the details of several high-profile sellers, including Bill Ward of Black Sabbath, Jimmy Chamberlin of Smashing Pumpkins, Alessandro Cortini of Nine Inch Nails, and more.
Reverb has started notifying customers that the breach exposed potentially sensitive information.
In an email to users, Reverb wrote: “We take our users’ privacy and security very seriously. Out of an abundance of caution, we wanted to inform you that Reverb recently became aware of an issue relating to user contact information.”
RELATED RESOURCE
“At this time, we believe that contact information, including name, address, phone number, and email, was publicly accessible for a short period of time. We do not have reason to believe that any of this information has been misused, nor do we believe that password or payment information were involved.”
Get the ITPro daily newsletter
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
Paul Norris, senior systems engineer EMEA at Tripwire, told IT Pro that misconfigurations like these are becoming all too common.
“Exposing sensitive data doesn’t require a sophisticated vulnerability, and the rapid growth of cloud-based data storage has exposed weaknesses in processes that leave data available to anyone. A misconfigured database on an internal network might not be noticed, and if noticed might not go public, but the stakes are higher when your data storage is directly connected to the Internet,” he said.
“Organizations should identify processes for securely configuring all systems, including cloud-based storage, like Elasticsearch. Once a process is in place, the systems must be monitored for changes to their configurations.”
Sergio Loureiro, cloud security director at Outpost24, told IT Pro that everyone needs to be “playing from the same music sheet when it comes to security and with the countless possibilities of ‘quickly deploying a system in the cloud,’ security is -still- often overlooked by organizations.”
“As datasets grow to these sizes, the data is becoming increasingly valuable to businesses and in some cases even more valuable than money. Unfortunately, not everyone protects it like the valuable asset it is,” Loureiro said.
Rene Millman is a freelance writer and broadcaster who covers cybersecurity, AI, IoT, and the cloud. He also works as a contributing analyst at GigaOm and has previously worked as an analyst for Gartner covering the infrastructure market. He has made numerous television appearances to give his views and expertise on technology trends and companies that affect and shape our lives. You can follow Rene Millman on Twitter.
-
Asus ZenScreen Fold OLED MQ17QH review
Reviews A stunning foldable 17.3in OLED display – but it's too expensive to be anything more than a thrilling tech demo
By Sasha Muller
-
How the UK MoJ achieved secure networks for prisons and offices with Palo Alto Networks
Case study Adopting zero trust is a necessity when your own users are trying to launch cyber attacks
By Rory Bathgate
-
Capita tells pension provider to 'assume' nearly 500,000 customers' data stolen
Capita told the pension provider to “work on the assumption” that data had been stolen
By Ross Kelly
-
Gumtree site code made personal data of users and sellers publicly accessible
News Anyone could scan the website's HTML code to reveal personal information belonging to users of the popular second-hand classified adverts website
By Connor Jones
-
Pizza chain exposed 100,000 employees' Social Security numbers
News Former and current staff at California Pizza Kitchen potentially burned by hackers
By Danny Bradbury
-
83% of critical infrastructure companies have experienced breaches in the last three years
News Survey finds security practices are weak if not non-existent in critical firms
By Rene Millman
-
Identity Automation launches credential breach monitoring service
News New monitoring solution adds to the firm’s flagship RapidIdentity platform
By Praharsha Anand
-
Neiman Marcus data breach hits 4.6 million customers
News The breach took place last year, but details have only now come to light
By Rene Millman
-
Indiana notifies 750,000 after COVID-19 tracing data accessed
News The state is following up to ensure no information was transferred to bad actors
By Rene Millman
-
Pearson fined $1 million for downplaying severity of 2018 breach
News The SEC found the London-based firm made “misleading statements and omissions” about the intrusion
By Rene Millman