Freecycle Breach May Have Hit Millions of Users

Written by

A non-profit organization used by millions on both sides of the Atlantic to recycle their possessions has admitted suffering a data breach last month.

The US-based Freecycle Network, which is also registered as a charity in the UK, claimed in an online notice that it discovered the incident on August 30.

The non-profit said it has already notified UK data protection regulator, the Information Commissioner’s Office (ICO), and the “appropriate US authorities.”

“The breach of data includes usernames, User IDs, email addresses and passwords. Because of the exposure of personal passwords we are taking every measure to quickly inform members about the need to change their passwords,” the notice continued.

“If you have used the same password elsewhere, you are well advised to change the password there as well. No other personal information was compromised and the breach has been closed and is being reported to the respective privacy authorities.”

Read more on data breaches: US on Track For Record Number of Data Breaches

It’s not clear whether the passwords were scrambled or stored in plain text by Freecycle.

Surprisingly, there had been no announcement by Freecycle on social media at the time of writing, nor had this author received an email requesting a password reset.

However, a separate notification email posted to X (formally Twitter) by a recipient, did claim passwords were hashed.

The concern will be that if these credentials end up in the wrong hands and can be decrypted, cyber-criminals could feed them into credential stuffing software to try the logins across numerous other online accounts.

The breach may also lead to a surge in follow-on phishing attempts that use the compromised data to elicit more information from Freecycle users.

“While most email providers do a good job at filtering out spam, you may notice that you receive more spam than usual,” the non-profit warned. “As always, please remain vigilant of phishing emails, avoid clicking on links in emails, and don’t download attachments unless you are expecting them.”

Freecycle claims to have nearly 11 million members.

What’s hot on Infosecurity Magazine?