Musical instrument marketplace Reverb.com LLC has suffered a data breach, with details of 5.6 million users exposed online.

First discovered and detailed April 23 by security researcher Bob Diachenko, the data breach involved an exposed Elasticsearch server that was exposed to all and sundry without any protection. The database includes full name, email address, phone number, mailing address, PayPal email and the listing and order information of its users.

Reverb raised $47 million in venture capital from firms including Summit Partners and GE32 Capital before being acquired by Etsy Inc. in 2019. It confirmed the data breach in an email to users. Confirmation is a generic way of saying that what it actually told its users is that “out of an abundance of caution, we wanted to inform you that Reverb recently became aware of an issue relating to user contact information.”

“As soon as we learned of the issue, we immediately worked to resolve it,” Reverb added, referring to the simple idea of including a password on an Elasticsearch instance.

It gets worse. “We conducted an investigation of the situation to determine what happened and are taking steps to prevent something like this happening again,” it said. Having a password on a database doesn’t require an investigation; it requires logic and the firing the person who set the database up without a password to begin with.

“Although the amount of time the database was exposed is currently unknown, a malicious actor could have easily obtained access and leveraged the data for highly targeted phishing attacks,” Anurag Kahol, chief technology officer and cofounder of total cloud security company Bitglass Inc., told SiliconANGLE. “Unfortunately, with this data in the wrong hands, victims’ physical safety could also be at risk. This further validates the need for complete visibility and control over all data across the IT ecosystem–including that which is stored in the cloud.”

To mitigate the risk of unauthorized access to sensitive data, he added, “organizations must adopt robust, flexible, and proactive cybersecurity platforms that include data loss prevention, multifactor authentication, user and entity behavior analytics and cloud security and posture management capabilities.”

Image: Reverb