5.6 Million Records That Appear to Belong to ‘Reverb’ Users Leaked Online

A researcher discovered a large set of data consisting of ‘Reverb’ user details.
A contractor may have managed the cluster, or it could have been stolen from elsewhere.
The exposed data is very sensitive, including names, emails, IPs, PayPal details, and phone numbers.

Researcher Bob Diachenko published a staggering finding on Twitter involving an unprotected ElasticSearch cluster that held 5.6 million data records. The entries are generic but match some elements found on Reverb shops, so the data appears to have been derived from the popular music instruments online marketplace. As for what data was leaked, it includes the full names, email addresses, postal addresses, phone numbers, listing/order count, PayPal account email, IP address, and more.

Just completed analysis of the samples: seems like it was data of 5.6M @reverb users exposed via unprotected ES cluster, incl: full name, email, postal address, phone, listing/order count, paypal email.. IP is down now. Not sure if cluster was managed by Reverb or someone else. pic.twitter.com/W7v2yKn0oR
— Bob Diachenko (@MayhemDayOne) April 23, 2021

In a private chat with Diachenko, the researcher told us that he first discovered the database on April 5, 2021, which is when specialized search engines indexed it. Since then, the database was taken offline so it is no longer accessible, but in the meantime, the researcher hasn’t been able to figure out if the cluster was managed by Reverb or someone else. This could have been a snatch from elsewhere, but until Reverb gets back to us with a comment on this, we have no way to tell.

The consequences of this breach are dire, and as Diachenko told us, there are some big-name shops included in the exposed set. The fact that there’s a PayPal account email accompanied by phone numbers, for example, opens up the way for SIM-swap-based 2FA bypassing. Also, phishing, scamming, and general trickery are obviously greatly empowered by this set.

For this reason, Reverb should have already sent notifications of a breach to its users, but as far as we can tell, something like that hasn’t happened. The researcher also informed us that Troy Hunt would get a list of all the exposed emails soon - so expect haveibeenpwned.com to add the relevant list, helping the compromised users find out if their details are included in the set or not.

Our advice to all Reverb users would be to reset your password on the platform, as well as anywhere else you may be using the same credentials. Next, send a message to Reverb's support and ask for clarifications on how this incident impacts you. For now, there is no confirmed breach on the Reverb platform, but you’d better be safe than sorry.