5.6 Million Records That Appear to Belong to ‘Reverb’ Users Leaked Online

  • A researcher discovered a large set of data consisting of ‘Reverb’ user details.
  • A contractor may have managed the cluster, or it could have been stolen from elsewhere.
  • The exposed data is very sensitive, including names, emails, IPs, PayPal details, and phone numbers.

Researcher Bob Diachenko published a staggering finding on Twitter involving an unprotected ElasticSearch cluster that held 5.6 million data records. The entries are generic but match some elements found on Reverb shops, so the data appears to have been derived from the popular music instruments online marketplace. As for what data was leaked, it includes the full names, email addresses, postal addresses, phone numbers, listing/order count, PayPal account email, IP address, and more.

In a private chat with Diachenko, the researcher told us that he first discovered the database on April 5, 2021, which is when specialized search engines indexed it. Since then, the database was taken offline so it is no longer accessible, but in the meantime, the researcher hasn’t been able to figure out if the cluster was managed by Reverb or someone else. This could have been a snatch from elsewhere, but until Reverb gets back to us with a comment on this, we have no way to tell.

The consequences of this breach are dire, and as Diachenko told us, there are some big-name shops included in the exposed set. The fact that there’s a PayPal account email accompanied by phone numbers, for example, opens up the way for SIM-swap-based 2FA bypassing. Also, phishing, scamming, and general trickery are obviously greatly empowered by this set.

For this reason, Reverb should have already sent notifications of a breach to its users, but as far as we can tell, something like that hasn’t happened. The researcher also informed us that Troy Hunt would get a list of all the exposed emails soon - so expect haveibeenpwned.com to add the relevant list, helping the compromised users find out if their details are included in the set or not.

Our advice to all Reverb users would be to reset your password on the platform, as well as anywhere else you may be using the same credentials. Next, send a message to Reverb's support and ask for clarifications on how this incident impacts you. For now, there is no confirmed breach on the Reverb platform, but you’d better be safe than sorry.

Latest
Euro 2024 Qualifiers Live Stream: How to Watch International Soccer Online from Anywhere
The road to Euro 2024 is about to get underway, and Europe’s leading soccer stars will be battling it out to qualify...
How to Watch Redemption Online for Free: Stream the Paula Malcomson Series from Anywhere
Redemption is an upcoming British drama TV series featuring Paula Malcomson. You will find below all the information you may need, including...
How to Watch The Real Murders of Atlanta Season 2 Online from Anywhere
The Real Murders of Atlanta is back with a new set of episodes in Season 2, and we have the premiere date,...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari