Etsy-Owned Music Sales Site Reverb Hit With Data Breach

Etsy-Owned Music Sales Site Reverb Hit With Data Breach
Photo: VALERIE MACON / Contributor, Getty Images

Last week, security consultant Bob Diachenko found an unsecured database run by the Etsy-owned music marketplace Reverb.

The exposed database, which contained user data like phone numbers, emails, addresses, and even order information, was dangerous in its own right, but then Diachenko figured out how many customers were affected: 5.6 million, by his reckoning, an exceedingly huge breach that has become a sadly normal experience for online e-commerce customers.

“At first, it wasn’t immediately clear who owns this and what type of data it is, so I put it on a shelf — until now. Since the discovery, the IP with the database was taken down,” said Diachenko in a LinkedIn post. “Upon closer inspection, I noticed that there are many ‘test’ emails coming from domain. I decided to verify shop slugs against real URLs on the Reverb site and quickly confirmed the initial thought — it was all Reverb users’ data.”

The server was an unprotected Elasticsearch instance, a type of open-source database that can act as a superfast search engine. The tool, used by many online retailers and social media sites, allows for quick lookups of various bits of data including, in this case, instant access to customer data. This service should be locked down, but Diachenko has found multiple instances where the search engine was wide open to all comers.

Screenshot: Volodymyr DiachenkoScreenshot: Volodymyr Diachenko

Diachenko checked the data and found it contained some interesting Reverb customers.

“To confirm my thought, I ran a quick check and was able to find several high-profiled sellers details, including Bill Ward of Black Sabbath, Jimmy Chamberlin of the Smashing Pumpkins, Alessandro Cortini of Nine Inch Nails and more,” he wrote.

Reverb, for its part, sent an email notifying customers of the breach.

Image: HotforSecurityImage: HotforSecurity

Reverb is a music gear marketplace that crafts marketplace Etsy bought in 2019. Etsy claimed it planned “to leverage its marketplace expertise to help Reverb further scale and grow.”

We have reached out to Reverb for clarity on the breach.