The world's largest online music retail marketplace Reverb.com has suffered a data breach that temporarily exposed customer contact details such as names, addresses, email addresses and phone numbers before the issue was identified.
Reverb members were contacted at 8.40pm GMT by the company, who said that it was emailing out of “an abundance of caution“ to assure the site's users that the issue was dealt with immediately, and a full investigation launched.
While no passwords or payment information were exposed, and there was no evidence that any of the information was misused, Reverb advised users to change their passwords.
As reported by Bleeping Computer, the data breach, which affected 5.6 million Reverb members, was discovered by security researcher Bob Diachenko who alerted Reverb after finding the unprotected ElasticSearch server online.
In his LinkedIn report, Diachenko said that high-profile sellers such as Bill Ward of Black Sabbath, Jimmy Chamberlin of the Smashing Pumpkins and Alessandro Cortini of Nine Inch Nails were among the sellers who had their contact details exposed.
A data breach such as this raises cybersecurity concerns, leaving affected users potential targets for phishing attacks. Cybersecurity experts say incidents such as this are all too common.
“Exposing sensitive data doesn’t require a sophisticated vulnerability, and the rapid growth of cloud-based data storage has exposed weaknesses in processes that leave data available to anyone,“ said Paul Norris, Senior Systems Engineer EMEA at Tripwire. “A misconfigured database on an internal network might not be noticed, and if noticed might not go public, but the stakes are higher when your data storage is directly connected to the Internet.“
Trevor Morgan, product manager at comforte AG, said that incidents surrounding ElasticSearch servers were “a wake-up call“ for data safety: “Beyond ensuring that products and services are correctly deployed and maintained by competent, experienced staff, organisations must also secure their cloud-based data by adopting a data-centric security model that protects the data at rest, in motion, and in use – even if a properly configured system is compromised.“
Reverb said that the company is “taking steps to prevent something like this from happening again“ and that users could change their passwords at the Account Settings page.