A data breach at the world’s largest online music marketplace has exposed the personal details of high-profile musicians.
Information belonging to Bill Ward of Black Sabbath, Jimmy Chamberlin of the Smashing Pumpkins, and Alessandro Cortini of Nine Inch Nails was among the data exposed in the security incident at Reverb.com.
Millions of the retailer’s records were discovered online in an unsecured Elasticsearch server by independent cybersecurity consultant and securitydiscovery.com owner Volodymyr “Bob” Diachenko.
Sharing details of the breach on LinkedIn on April 23, Diachenko said he had found 5.6 million exposed Reverb.com records containing full names, email address, phone numbers, addresses, PayPal email addresses, and listing/order information.
When the cybersecurity consultant first came across the cache of unsecured data on April 5, he wasn’t sure who it belonged to.
“At first, it wasn’t immediately clear who owns this and what type of data it is, so I put it on a shelf—until now. Since the discovery the IP with database was taken down,” said Diachenko.
“Upon closer inspection I noticed that there are many ‘test’ emails coming from @reverb.com domain. I decided to verify shop slugs against real URLs on Reverb site and quickly confirmed the initial thought—it was all Reverb users’ data.”
Reverb.com is an online marketplace for new, used, and vintage music gear with its headquarters in Chicago, Illinois. The company was founded in 2013 by Chicago Music Exchange owner David Kalt and has more than 10 million monthly visitors.
Diachenko said the exposure of the data could make Reverb.com users vulnerable to cybercrimes, including phishing attacks carried out over email, text, or on the phone.
“Scammers might pose as Reverb or an associated company in an attempt to persuade victims to divulge additional information such as account login credentials or payment details,” said the consultant.
“The fact that customer shop IDs were exposed is troublesome as these can be used to make fraudulent correspondence look legitimate.”
He added that cyber-criminals could cross-reference data leaked in this breach with information exposed in other breaches to gain enough details to make their phishing attempts “extra convincing.”