Massive Freecycle data breach could affect 7 million users

Data center
(Image credit: Future)

More than seven million people may have had their sensitive information stolen following a data breach that happened on Freecycle’s servers. 

The organization has published a warning on its website, describing what had happened and urging its users to change their login credentials, immediately.

Freecycle is a non-profit organization that connects people looking to exchange used things, instead of throwing them away. 

Freecycle breach

"On August 30th we became aware of a data breach on Freecycle.org,” the organization wrote in its statement. “As a result, we are advising all members to change their passwords as soon as possible.”

"We apologize for the inconvenience and would ask that you watch this space for further pending background."

The attack appears to have happened months previously, before even June, when the Freecycle database was already for sale on the dark web, including data such as usernames, user IDs, email addresses, as well as MD5-hashed passwords. 

Analyzing the screenshots posted by the attackers, BleepingComputer concluded that it was Freecycle founder and executive director Deron Beal who had his credentials stolen, granting the attackers keys to the kingdom. 

Following the discovery of the breach, the organization reached out to the police, it said, and added that users should be wary of possible phishing attacks and other scams coming their way: "While most email providers do a good job at filtering out spam, you may notice that you receive more spam than usual," the warning reads.

"As always, please remain vigilant of phishing emails, avoid clicking on links in emails, and don't download attachments unless you are expecting them." 

Besides phishing, this type of information can also be used in identity theft and wire fraud. 

Freecycle is a major organization with almost 11 million members scattered around more than 5,000 towns around the world.

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.