ReverbNation breach points to an old yet newly ‘known unknown’

What surprised me wasn’t the breach itself, but a date in the first paragraph explaining what had happened:

“ReverbNation was recently contacted by law enforcement and alerted that an individual had illegally sought to gain unauthorized access to some of our customer’s user data. In January 2014, an individual, who has since been identified and charged, illegally accessed a ReverbNation vendor’s computer systems and ultimately gained unauthorized access to user information contained in a backup of our database.”

Really? January 2014???! That’s over one and a half years ago.

According to ReverbNation, no credit card data was compromised. However, “possibly other user information users provided to us, such as names, addresses, phone numbers, and/or dates of birth may have been accessed.”

Possibly? May have been???! There’s a trend here.

I’ve been a big fan of ReverbNation (ever since making my own musician profile there several years ago), but I am naturally skeptical that ReverbNation can be so sure about no credit card data being compromised at the same time it is so unsure about the status of names, addresses, phone numbers, and/or dates of birth.

This was a breach not detected until more than 18 months after it occurred – and not detected at all internally. It’s safe to assume that, had law enforcement not discovered the breach some other way and alerted ReverbNation to the situation, they might never have known. And neither would the site’s users.

ReverbNation-change-password-email

How to Change Your ReverbNation Password

  1. Log in to reverbnation.com.
  2. From your Dashboard, click on your profile image in the top right of the screen.
  3. Select “Account.”
  4. Select “Change Password” in the top right of the screen.
  5. Enter the requested information, and click “Proceed.”
  6. You should immediately receive a ReverbNation email notifying you of the password change.

In closing, if you are part of a business that intends to have any customer information whatsoever stored through your website, you are not immune to attacks. So do something about it. Right now.

This post is also available in: German

Marketing/Branding guy, copywriter (Industrial Poet), M.Ed., editor, singer-songwriter/guitarist, reader, writer, and daddy to two amazing girls.Prior to joining Avira in summer of 2014, Mashak helped another European IT security company grow from obscurity into a globally recognized industry leader (and household name).From 2008 to 2010, he worked with an IT market research firm as report editor for the CEMA region.Before that, he was a freelance marketing consultant, a high school English teacher, the owner of a property management company, served five years on sales and client-retention teams for the world's largest perimeter security firm, and dabbled with various small business ventures of his own.