Powered by MOMENTUM MEDIA
cyber daily logo
Breaking news and updates daily. Subscribe to our Newsletter

Freecycle admits to data breach affecting more than 7m users

“Grassroots” second-hand trading platform Freecycle has suffered a data breach that has seen the details of over 7 million of its users posted on a popular hacking forum.

user icon David Hollingworth
Tue, 05 Sep 2023
Freecycle admits to data breach affecting more than 7m users
expand image

Freecycle said it became aware of the incident on 30 August, while the data itself was first posted for sale on 30 June.

The listed data includes usernames and IDs, as well as email addresses – two for each user. Passwords are also part of the dataset, but these are MD5-hashed, making it technically difficult but not impossible for a malicious actor to reverse-engineer.

Regardless, Freecycle is taking the breach seriously and is advising its customers appropriately.

“Because of the exposure of personal passwords, we are taking every measure to quickly inform members about the need to change their passwords,” Freecycle said in a statement on the incident. “If you have used the same password elsewhere, you are well advised to change the password there as well. No other personal information was compromised, and the breach has been closed and is being reported to the respective privacy authorities.”

Freecycle itself is based in the US, where authorities have been notified. The organisation has also informed the Information Commissioner’s Office in the UK.

However, Freecycle has customers all over the world, and tens of thousands of users in Australia. The Sydney Central group – known as a “town” in Freecycle’s own parlance – has more than 8,000 users alone. There are over 190 towns listed in Australia and a further 45 in New Zealand.

Given that the total user base of Freecycle is nearly 11 million, there’s a high chance some Australian accounts have been impacted.

Even more alarming is how the supposed hacker – who appears to be an individual rather than group-affiliated – gained access to the user data. The person in question posted two screenshots on 17 June to prove the information is legitimate, and it appears that they were able to log into Freecycle’s back end using the credentials of the company’s director, Deron Beal.

The screenshots could, of course, have been altered in some manner or even fabricated completely, but regardless, it’s a worrying suggestion for the company.

As well as recommending that its customers change their passwords, Freecycle is also warning its users that they should be on the alert for an increase in scams and phishing attempts.

David Hollingworth

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.

newsletter
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.