Reverb Musical Instrument Marketplace Exposes 5.6 Million Customer Records Through Elasticsearch
The Reverb.com LLC musical instrument market has suffered a data breach, with the details of 5.6 million users exposed online.
Discovered for the first time and detailed on April 23 by security researcher Bob Diachenko, the data breach involved an exposed Elasticsearch server that was exposed to everyone without any protection. The database includes full name, email address, phone number, mailing address, PayPal email, and listing and order information for its users.
Reverb raised $ 47 million in venture capital from companies such as Summit Partners and GE32 Capital before being acquired by Etsy Inc. in 2019. It confirmed the data breach in an email to users. Confirmation is a generic way of saying that what it actually told its users is that “out of caution we wanted to let you know that Reverb has recently become aware of an issue with user contact information.”
“As soon as we learned about the problem, we immediately worked to fix it,” Reverb added, referring to the simple idea of including a password on an Elasticsearch instance.
It’s getting worse. “We have investigated the situation to determine what has happened and are taking action to prevent something like this from happening again,” he said. Having a password on a database does not require investigation; it requires logic and firing from the person who set up the database without a password to start.
“Although the exposure time of the database is currently unknown, a malicious actor could have easily accessed the data and exploited it for highly targeted phishing attacks,” Anurag Kahol, CTO and company co-founder total security in the cloud. Bitglass Inc., said SiliconANGLE. “Unfortunately, with this data in the wrong hands, the physical safety of victims could also be at risk. This further validates the need for complete visibility and control over all data in the IT ecosystem, including that stored in the cloud.
To mitigate the risk of unauthorized access to sensitive data, he added, “Organizations must adopt robust, flexible and proactive cybersecurity platforms that include data loss prevention, multi-factor authentication, analysis of user and entity behavior and cloud security and posture management capabilities ”.