Freecycle.org has posted a notice on the homepage informing of a data breach on its platform that impacts all members, urging them to change their passwords as soon as possible.
Freecycle is a non-profit grassroots movement of people who want to keep usable items out of landfills by promoting local exchange of goods. Members of the site join local groups, post offers or specific things they seek to find, and then arrange the pickup of the free items with the other members of the same community. Freecycle counts nearly 11 million members in over 5 thousand towns worldwide.
The platform claims it became aware of the data breach on August 30, 2023, however, a user on an emerging hacking forum posted in June what was claimed to be samples of a dataset that includes the information of over 7,000,000 users. It is assumed that Freecycle’s announcement about a breach that impacts all members is a confirmation that the data the forum user posted is real.
The sample data posted on the forum includes the following:
- User ID
- Email address
- User Password (MD5 hashed)
- Recovery email address
The MD5 hashing algorithm is nowadays considered obsolete and reasonably easy to crack, so the passwords can be dehashed given enough computer power and time. That said, the passwords of Freecycle members aren’t safe, and these users are vulnerable to account hijacks on the particular platform, and credential stuffing attacks on other websites where they might be using the same credentials.
On the plus side, the free circulation of goods encouraged by Freecycle and most community guidelines that forbid trading or selling has helped keep the potential risk limited to the above, as no financial details or shipping addresses have been exposed.
The hacker user that posted the data samples was still offering to sell the entire Freecycle database as recently as August 31, 2023, and the number of cybercriminals who might have bought the dataset is unknown at this time.
If you registered an account on Freecycle at any time in the past, be wary of unsolicited communications and emails requesting you to disclose sensitive personal information. Also, change passwords on sites where you might be using the same login details to protect your accounts and online presence.