Freecycle.org has posted a notice on the homepage informing of a data breach on its platform that impacts all members, urging them to change their passwords as soon as possible.
Freecycle is a non-profit grassroots movement of people who want to keep usable items out of landfills by promoting local exchange of goods. Members of the site join local groups, post offers or specific things they seek to find, and then arrange the pickup of the free items with the other members of the same community. Freecycle counts nearly 11 million members in over 5 thousand towns worldwide.
RestorePrivacy
The platform claims it became aware of the data breach on August 30, 2023, however, a user on an emerging hacking forum posted in June what was claimed to be samples of a dataset that includes the information of over 7,000,000 users. It is assumed that Freecycle’s announcement about a breach that impacts all members is a confirmation that the data the forum user posted is real.
The sample data posted on the forum includes the following:
- User ID
- Email address
- User Password (MD5 hashed)
- Recovery email address
RestorePrivacy
The MD5 hashing algorithm is nowadays considered obsolete and reasonably easy to crack, so the passwords can be dehashed given enough computer power and time. That said, the passwords of Freecycle members aren’t safe, and these users are vulnerable to account hijacks on the particular platform, and credential stuffing attacks on other websites where they might be using the same credentials.
On the plus side, the free circulation of goods encouraged by Freecycle and most community guidelines that forbid trading or selling has helped keep the potential risk limited to the above, as no financial details or shipping addresses have been exposed.
The hacker user that posted the data samples was still offering to sell the entire Freecycle database as recently as August 31, 2023, and the number of cybercriminals who might have bought the dataset is unknown at this time.
If you registered an account on Freecycle at any time in the past, be wary of unsolicited communications and emails requesting you to disclose sensitive personal information. Also, change passwords on sites where you might be using the same login details to protect your accounts and online presence.
International Law Enforcement Operation Dismantles QBot Botnet
Thank you Heinrich Sir and Sven Sir for your continuous efforts which has culminated as Restore Privacy and thank you for regular updates. It must be a lot of hard work to verify, test and present the information to users and the website do not have ads so there is not a lot of financial incentive too but for us users to provide the correct information you both are making so much effort. I do not know of any other website which is reliable and trustworthy other than Restore Privacy. I have come across countless others but they are not trustworthy. So thank you very much.
Great article Heinrich!