Last week, security consultant Bob Diachenko found an unsecured database run by the Etsy-owned music marketplace Reverb.
The exposed database, which contained user data like phone numbers, emails, addresses, and even order information, was dangerous in its own right, but then Diachenko figured out how many customers were affected: 5.6 million, by his reckoning, an exceedingly huge breach that has become a sadly normal experience for online e-commerce customers.
“At first, it wasn’t immediately clear who owns this and what type of data it is, so I put it on a shelf — until now. Since the discovery, the IP with the database was taken down,” said Diachenko in a LinkedIn post. “Upon closer inspection, I noticed that there are many ‘test’ emails coming from @reverb.com domain. I decided to verify shop slugs against real URLs on the Reverb site and quickly confirmed the initial thought — it was all Reverb users’ data.”
The server was an unprotected Elasticsearch instance, a type of open-source database that can act as a superfast search engine. The tool, used by many online retailers and social media sites, allows for quick lookups of various bits of data including, in this case, instant access to customer data. This service should be locked down, but Diachenko has found multiple instances where the search engine was wide open to all comers.
Diachenko checked the data and found it contained some interesting Reverb customers.
“To confirm my thought, I ran a quick check and was able to find several high-profiled sellers details, including Bill Ward of Black Sabbath, Jimmy Chamberlin of the Smashing Pumpkins, Alessandro Cortini of Nine Inch Nails and more,” he wrote.
Reverb, for its part, sent an email notifying customers of the breach.
Reverb is a music gear marketplace that crafts marketplace Etsy bought in 2019. Etsy claimed it planned “to leverage its marketplace expertise to help Reverb further scale and grow.”
We have reached out to Reverb for clarity on the breach.