Reverb is the largest online marketplace for buying and selling new, used, and vintage musical instruments and gear.

Yesterday, the company confirmed it has suffered a security breach after its customer database was exposed online. As reported by Lawrence Abrams, Reverb customers began receiving data breach notifications stating that their names, addresses, phone numbers, customer shop IDs, and email addresses were publicly exposed.

Reverb security breach notification screenshot heimdal security

Image Source: BleepingComputer

On April 23rd cybersecurity consultant Volodymyr Diachenko discovered a publicly exposed unprotected Elasticsearch server that contained more than 5.6 million records. Upon closer analysis, Diachenko noticed that

(…) there are many ‘test‘ emails coming from @reverb.com domain. I decided to verify shop slugs against real URLs on Reverb site and quickly confirmed the initial thought – it was all Reverb users data. Apparently, given the size of the dataset and its structure, I would assume that it relates to sellers rather than visitors.

To confirm my thought, I ran a quick check and was able to find several high-profiled sellers details, including Bill Ward of Black Sabbath, Jimmy Chamberlin of the Smashing Pumpkins, Alessandro Cortini of Nine Inch Nails and more.


Diachenko warns that the main threat for customers whose data has been exposed is targeted phishing attacks. These include emails, text messages, or even phone calls. Threat actors can now impersonate Reverb representatives or an associated company to manipulate victims to provide information such as login credentials or financial details.

To make matters worse, the leaked customer shop IDs could be used to make fraudulent correspondence look legitimate.

As it’s usually the case with phishing scams, attackers might use the information from other data breaches to find out more details about potential victims. These details can be useful since they could make the phishing attempts even more convincing.

Reverb customers are advised to keep an eye out for such messages and avoid accessing links or suspicious attachments.

Diachenko believes that the database was most probably unsecured for a short period, but says that if he could find it, then so could a cybercriminal.

Since Reverb is convinced that users’ passwords were not exposed in the breach, the company announced that it will not reset them. Nevertheless, for better security, it is recommended that users reset them themselves.

Everything You Need to Know About the 2021 Facebook Data Breach

The SolarWinds Incident May Be the Start of New Data Breach Notification Law in the US

Leave a Reply

Your email address will not be published. Required fields are marked *